Plateforme
java
Composant
frontend-js-module
Corrigé dans
7.4.4
7.4.14
7.3.11
7.2.11
CVE-2024-26269 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in the Frontend JS module of Liferay Portal. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML, potentially compromising user accounts and system integrity. The vulnerability affects Liferay Portal versions 7.2.0 through 7.4.3.37, as well as Liferay DXP versions prior to update 38. A fix is available in Liferay Portal 7.4.4.
Successful exploitation of CVE-2024-26269 allows an attacker to inject malicious JavaScript code into a Liferay Portal page viewed by other users. This can lead to a variety of attacks, including session hijacking, credential theft, and defacement of the portal. The attacker could potentially gain complete control over user accounts, access sensitive data, and even compromise the entire Liferay instance. The anchor (hash) portion of a URL is the attack vector, making it relatively easy to craft malicious links and distribute them to unsuspecting users. This vulnerability is particularly concerning given Liferay's widespread use in enterprise environments, where sensitive data and critical business processes are often managed.
CVE-2024-26269 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Organizations using Liferay Portal and DXP versions 7.2.0 through 7.4.3.37 are at risk. This includes businesses relying on Liferay for content management, collaboration, and digital experience delivery. Shared hosting environments where multiple customers share the same Liferay instance are particularly vulnerable, as an attacker could potentially compromise other tenants.
• linux / server:
journalctl -u liferay-portal | grep -i 'script' -i 'html'• generic web:
curl -I https://your-liferay-portal/some/page#<script>alert('XSS')</script> | grep -i 'content-type'• wordpress / composer / npm: (Not applicable, as Liferay is not a WordPress/Composer/npm component) • database (mysql, redis, mongodb, postgresql): (Not applicable, as the vulnerability is in the frontend JS) • windows / supply-chain: (Not applicable, as Liferay is a Java application)
disclosure
patch
Statut de l'Exploit
EPSS
0.19% (percentile 41%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-26269 is to upgrade Liferay Portal to version 7.4.4 or later. If immediate upgrading is not possible, consider implementing temporary workarounds. Input validation and output encoding on the affected portlet.js component can help reduce the attack surface, though this is not a substitute for patching. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor Liferay logs for suspicious activity, particularly unusual JavaScript execution patterns or attempts to access sensitive data.
Mettez à jour Liferay Portal vers la dernière version disponible ou appliquez les correctifs correspondants fournis par Liferay. Consultez l'avis de sécurité de Liferay pour obtenir des instructions détaillées sur la manière d'appliquer les mises à jour ou les correctifs nécessaires. Cela corrigera la vulnérabilité XSS dans le module Frontend JS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-26269 is a critical Cross-Site Scripting (XSS) vulnerability in Liferay Portal's Frontend JS module, allowing attackers to inject malicious scripts via URL hashes.
Yes, if you are running Liferay Portal versions 7.2.0–7.4.3.37 or Liferay DXP versions prior to update 38, you are affected by this vulnerability.
Upgrade Liferay Portal to version 7.4.4 or later to remediate the vulnerability. Consider temporary workarounds like input validation and WAF rules if immediate upgrading is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target.
Refer to the official Liferay security advisory for detailed information and mitigation guidance: [https://liferay.com/security/advisory/liferay-portal-7-4-4-and-liferay-dxp-7-4-4-released](https://liferay.com/security/advisory/liferay-portal-7-4-4-and-liferay-dxp-7-4-4-released)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.