Stored XSS vulnerability in geolocation custom fields
CVE-2024-25601
5.4MEDIUM
What is CVE-2024-25601?
A stored cross-site scripting vulnerability exists in the geolocation custom fields of Liferay Portal versions 7.2.0 through 7.4.2, as well as unsupported older versions. This vulnerability allows remote authenticated users to execute arbitrary web scripts or HTML by injecting malicious payloads into the name text field of a geolocation custom field. The impact can lead to unauthorized actions and loss of data integrity, affecting the overall security posture of applications utilizing these versions of Liferay Portal and Liferay DXP.
Affected Version(s)
DXP 7.3.10 <= 7.3.10-dxp-2
DXP 7.2.10 <= 7.2.10-dxp-16
Portal 7.2.0 <= 7.4.2