Cross-site Scripting (XSS) Vulnerability in Liferay Portal
CVE-2024-25147

9.6CRITICAL

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 21 February 2024

What is CVE-2024-25147?

A cross-site scripting (XSS) vulnerability exists in the HtmlUtil.escapeJsLink function of Liferay Portal version 7.2.0 to 7.4.1, as well as older unsupported versions. Additionally, Liferay DXP version 7.3 before service pack 3 and 7.2 before fix pack 15 are also impacted. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML by utilizing crafted javascript: style links. Such attacks can lead to unauthorized data access, session hijacking, and a compromise of user interactions within the affected applications.

Affected Version(s)

DXP 7.3.10 <= 7.3.10-dxp-2

DXP 7.2.10 <= 7.2.10-dxp-14

Portal 7.2.0 <= 7.4.1

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Feb 6, 2024