Cross-site Scripting (XSS) Vulnerability in Liferay Portal
CVE-2024-25147
9.6CRITICAL
What is CVE-2024-25147?
A cross-site scripting (XSS) vulnerability exists in the HtmlUtil.escapeJsLink function of Liferay Portal version 7.2.0 to 7.4.1, as well as older unsupported versions. Additionally, Liferay DXP version 7.3 before service pack 3 and 7.2 before fix pack 15 are also impacted. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML by utilizing crafted javascript: style links. Such attacks can lead to unauthorized data access, session hijacking, and a compromise of user interactions within the affected applications.
Affected Version(s)
DXP 7.3.10 <= 7.3.10-dxp-2
DXP 7.2.10 <= 7.2.10-dxp-14
Portal 7.2.0 <= 7.4.1