CVE-2024-11993: Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting

December 17, 2024 (updated January 28, 2025)

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

References

github.com/advisories/GHSA-4hxr-28mv-q729
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993
nvd.nist.gov/vuln/detail/CVE-2024-11993

Code Behaviors & Features

Detect and mitigate CVE-2024-11993 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →