प्लेटफ़ॉर्म
java
घटक
frontend-js-module
में ठीक किया गया
7.4.4
7.4.14
7.3.11
7.2.11
CVE-2024-26269 describes a critical Cross-Site Scripting (XSS) vulnerability discovered in the Frontend JS module of Liferay Portal. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML, potentially compromising user accounts and system integrity. The vulnerability affects Liferay Portal versions 7.2.0 through 7.4.3.37, as well as Liferay DXP versions prior to update 38. A fix is available in Liferay Portal 7.4.4.
Successful exploitation of CVE-2024-26269 allows an attacker to inject malicious JavaScript code into a Liferay Portal page viewed by other users. This can lead to a variety of attacks, including session hijacking, credential theft, and defacement of the portal. The attacker could potentially gain complete control over user accounts, access sensitive data, and even compromise the entire Liferay instance. The anchor (hash) portion of a URL is the attack vector, making it relatively easy to craft malicious links and distribute them to unsuspecting users. This vulnerability is particularly concerning given Liferay's widespread use in enterprise environments, where sensitive data and critical business processes are often managed.
CVE-2024-26269 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Organizations using Liferay Portal and DXP versions 7.2.0 through 7.4.3.37 are at risk. This includes businesses relying on Liferay for content management, collaboration, and digital experience delivery. Shared hosting environments where multiple customers share the same Liferay instance are particularly vulnerable, as an attacker could potentially compromise other tenants.
• linux / server:
journalctl -u liferay-portal | grep -i 'script' -i 'html'• generic web:
curl -I https://your-liferay-portal/some/page#<script>alert('XSS')</script> | grep -i 'content-type'• wordpress / composer / npm: (Not applicable, as Liferay is not a WordPress/Composer/npm component) • database (mysql, redis, mongodb, postgresql): (Not applicable, as the vulnerability is in the frontend JS) • windows / supply-chain: (Not applicable, as Liferay is a Java application)
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.19% (41% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-26269 is to upgrade Liferay Portal to version 7.4.4 or later. If immediate upgrading is not possible, consider implementing temporary workarounds. Input validation and output encoding on the affected portlet.js component can help reduce the attack surface, though this is not a substitute for patching. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor Liferay logs for suspicious activity, particularly unusual JavaScript execution patterns or attempts to access sensitive data.
Liferay Portal को नवीनतम उपलब्ध संस्करण में अपडेट करें या Liferay द्वारा प्रदान किए गए संबंधित पैच लागू करें। आवश्यक अपडेट या पैच लागू करने के बारे में विस्तृत निर्देशों के लिए Liferay सुरक्षा सलाहकार देखें। यह फ्रंटएंड JS मॉड्यूल में XSS भेद्यता को ठीक कर देगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-26269 is a critical Cross-Site Scripting (XSS) vulnerability in Liferay Portal's Frontend JS module, allowing attackers to inject malicious scripts via URL hashes.
Yes, if you are running Liferay Portal versions 7.2.0–7.4.3.37 or Liferay DXP versions prior to update 38, you are affected by this vulnerability.
Upgrade Liferay Portal to version 7.4.4 or later to remediate the vulnerability. Consider temporary workarounds like input validation and WAF rules if immediate upgrading is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target.
Refer to the official Liferay security advisory for detailed information and mitigation guidance: [https://liferay.com/security/advisory/liferay-portal-7-4-4-and-liferay-dxp-7-4-4-released](https://liferay.com/security/advisory/liferay-portal-7-4-4-and-liferay-dxp-7-4-4-released)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी pom.xml फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।