CVE-2024-26269: 
Java vulnerability analysis and mitigation

Cross-site scripting (XSS) vulnerability (CVE-2024-26269) was discovered in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions. The vulnerability was disclosed on February 20, 2024 (NVD, Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL. The severity of this vulnerability has been assessed with two different CVSS v3.1 scores: NIST rates it as MEDIUM (6.1) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Liferay Inc. rates it as CRITICAL (9.6) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability could allow attackers to execute arbitrary web scripts or inject HTML content through the URL hash component, potentially leading to unauthorized access to sensitive information or manipulation of web content (Liferay Advisory).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.38, Liferay DXP 7.4 update 38, Liferay DXP 7.3 update 11, and Liferay DXP 7.2 fix pack 20. Users are advised to upgrade to these versions to mitigate the vulnerability (Liferay Advisory).