Security Listings

9.6

CVE-2024-26269 XSS with anchor/hash part of a URL in portlet.js

Description

Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL.

Severity

9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.38
Liferay Portal 7.3.0 through 7.3.7
Liferay Portal 7.2.0 and 7.2.1
Liferay DXP 7.4 before update 38
Liferay DXP 7.3 before update 11
Liferay DXP 7.2 before fix pack 20
Liferay DXP, older unsupported versions

Fixed Version(s)

Liferay Portal 7.4.3.38
Liferay DXP 7.4 update 38
Liferay DXP 7.3 update 11
Liferay DXP 7.2 fix pack 20

CVE-2024-26269

Publication Date:

février 21, 2024

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback