CVE-2024-11993
Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting
6.1
MEDIUM
CVSS 3.1
EPSS 0.18%
Description
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
How to fix CVE-2024-11993
To remediate CVE-2024-11993, upgrade the affected package to a fixed version below.
- —upgrade to 7.4.13.u39 or later
- —upgrade to 7.4.3.39 or later
Is CVE-2024-11993 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.1, < 7.4.13.u39
- >= 7.1.0, < 7.4.3.39
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |