CVE-2024-11993 – com.liferay.portal:release.portal.bom

Package

Manager: maven
Name: com.liferay.portal:release.portal.bom
Vulnerable Version: >=7.1.0 <7.4.3.39

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00069 pctl0.21666

Details

Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

Metadata

Created: 2024-12-17T21:30:34Z
Modified: 2025-01-28T22:26:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-4hxr-28mv-q729/GHSA-4hxr-28mv-q729.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-4hxr-28mv-q729
Finding: F008
Auto approve: 1