CVE-2024-11993: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and Liferay DXP, affecting multiple versions including Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20, and 7.1 GA through fix pack 28. The vulnerability was discovered and reported by Liferay and milCERT AT, with the initial disclosure date of November 29, 2024 (Liferay Advisory).

The vulnerability allows remote attackers to execute arbitrary web script or HTML through the Dispatch name field. The severity of this vulnerability has been assessed with multiple scoring systems: CVSS v4.0 score of 4.6 (Medium) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, and CVSS v3.1 score of 6.1 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability can lead to the execution of arbitrary web scripts or HTML in the context of the targeted application, potentially allowing attackers to steal sensitive information, manipulate web content, or perform actions on behalf of other users (NVD).

The vulnerability has been fixed in Liferay Portal version 7.4.3.39 and Liferay DXP 7.4 update 39. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).