CVE-2024-26266

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.13 Liferay DXP 7.4 before update 10 Liferay DXP 7.3 before update 4 Liferay DXP 7.2 before fix pack 17 Liferay DXP older unsupported versions Liferay Portal older unsupported versions

Description Multiple stored cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the Announcement widget or Alerts widget.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.13, update to a version outside of this range to mitigate the risk. For Liferay DXP 7.4 before update 10, apply update 10 to resolve the issue. For Liferay DXP 7.3 before update 4, apply update 4 to resolve the issue. For Liferay DXP 7.2 before fix pack 17, apply fix pack 17 to resolve the issue. For Liferay DXP and Liferay Portal older unsupported versions, consider upgrading to a supported version to ensure security patches are applied. As a temporary workaround, consider restricting access to the Announcement and Alerts widgets until a patch is available.