Multiple Stored Cross-Site Scripting Vulnerabilities Found in Liferay Portal

CVECVE-2024-26266
CVSScvssV3_1: 9
SourceCVE-2024-26266

Liferay Portal is an open source web content management and web application platform. Security researchers recently discovered multiple stored cross-site scripting (XSS) vulnerabilities in versions of Liferay Portal and Liferay DXP.

Stored XSS vulnerabilities occur when user-supplied input is rendered without being sanitized by the application. In this case, an authenticated user could inject malicious script code by entering it into their name field when creating announcements or alerts. This script code would then be rendered for all users viewing those announcements or alerts.

An attacker could use these vulnerabilities to steal users’ login cookies or passwords, install malware, or perform other malicious actions using the privileges of victims within the affected Liferay Portal instances. All an attacker would need is valid login credentials to inject the malicious script.

If you use an affected version of Liferay Portal or DXP, you should immediately update to the latest version that addresses these vulnerabilities. Also ensure you apply any available security patches from Liferay. Users should be cautious about following any links or downloading files from announcements or alerts within affected Liferay instances, at least until the issues are resolved. Promptly applying updates is the best way to protect your Liferay deployment and users.

References