CVE-2024-26266: 
Java vulnerability analysis and mitigation

CVE-2024-26266 is a stored cross-site scripting (XSS) vulnerability affecting Liferay Portal versions 7.2.0 through 7.4.3.13 and Liferay DXP versions 7.4 (before update 10), 7.3 (before update 4), and 7.2 (before fix pack 17), as well as older unsupported versions. The vulnerability was discovered and reported by Liferay and milCERT AT, with the initial disclosure date of February 21, 2024 (Liferay Advisory).

The vulnerability allows remote authenticated users to inject arbitrary web script or HTML through crafted payloads in the first/middle/last name text fields of users who create entries in either the Announcement widget or Alerts widget. The vulnerability has been assigned a CVSS v3.1 base score of 9.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) by Liferay Inc., while NIST assigned a score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability could potentially allow attackers to execute arbitrary web scripts or HTML in the context of other users' browsers when they view entries created in the Announcement or Alerts widgets. This could lead to the compromise of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal 7.4.3.14, Liferay DXP 7.4 update 10, Liferay DXP 7.3 update 4, or Liferay DXP 7.2 fix pack 17 depending on their current version (Liferay Advisory).