CVE-2024-11993
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts via the Dispatch name field. When exploited, this can lead to session hijacking, credential theft, or redirection to malicious sites. Affected users include anyone running vulnerable versions of Liferay Portal 7.4.0-7.4.3.38 or Liferay DXP 7.4 GA through update 38.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect users to phishing sites, or perform actions on behalf of authenticated users.
Likely Case
Attackers craft malicious links containing XSS payloads that execute when clicked by victims, potentially stealing session cookies or performing limited unauthorized actions.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute scripts, limiting impact to failed exploitation attempts.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link). No authentication is needed to exploit this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.39+, Liferay DXP update 39+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-11993
Restart Required: Yes
Instructions:
1. Download the latest patch from Liferay's customer portal. 2. Apply the patch according to Liferay's patching documentation. 3. Restart the Liferay server. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a servlet filter to sanitize Dispatch name field inputs by removing or encoding special characters.
Implement custom servlet filter in Liferay to sanitize 'name' parameter in dispatch requests
Web Application Firewall (WAF)
allConfigure WAF rules to block requests containing XSS patterns in the Dispatch name parameter.
Add WAF rule: Block requests with suspicious patterns in 'name' parameter (e.g., <script>, javascript:, onload=)
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Deploy a web application firewall (WAF) with XSS protection rules enabled.
🔍 How to Verify
Check if Vulnerable:
Test by injecting a simple XSS payload into the Dispatch name field and checking if it executes. Example: <script>alert('test')</script>Check Version:
Check Liferay version via Control Panel → Server Administration → System Information, or via Liferay's API endpoints.Verify Fix Applied:
After patching, attempt the same XSS payload injection. The payload should be properly encoded and not execute.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing suspicious patterns in 'name' parameter (e.g., script tags, javascript: URIs)
- Unusual error logs related to dispatch request processing
Network Indicators:
- HTTP requests with encoded XSS payloads in query parameters
- Traffic patterns showing repeated attempts with different payloads
SIEM Query:
source="liferay.log" AND ("name=<script>" OR "name=javascript:" OR "name=onload=")