CVE-2024-26269

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.37 Liferay DXP versions prior to 7.4 update 38 Liferay DXP versions prior to 7.3 update 11 Liferay DXP versions prior to 7.2 fix pack 20

Description A cross-site scripting (XSS) issue in the Frontend JS module's portlet.js allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL. This affects Liferay Portal and Liferay DXP, enabling attackers to execute malicious scripts.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.37, update to a version outside of this range to resolve the issue. For Liferay DXP versions prior to 7.4 update 38, apply update 38 or later. For Liferay DXP versions prior to 7.3 update 11, apply update 11 or later. For Liferay DXP versions prior to 7.2 fix pack 20, apply fix pack 20 or later. As a temporary workaround, consider restricting access to the portlet.js module in the Frontend JS until a patch is available.