XXE vulnerability in Liferay Portal allows attackers to obtain sensitive information or consume system resources
CVE-2024-25606

8.7HIGH

Key Information:

Vendor: Liferay
Status: Portal; DXP
Vendor: CVE Published:; 20 February 2024

What is CVE-2024-25606?

The Liferay Portal and Liferay DXP products exhibit a vulnerability allowing XML External Entity (XXE) attacks. This issue is present in versions 7.2.0 through 7.4.3.7 of Liferay Portal, as well as in Liferay DXP 7.4 before update 4, 7.3 before update 12, and 7.2 before fix pack 20. An attacker with deployment permissions for widgets, portlets, or extensions could exploit the Java2WsddTask._format method to access sensitive information or deplete system resources. Previous unsupported versions are also vulnerable, highlighting the need for users to prioritize updates to mitigate such risks. Comprehensive security assessments and remedial actions are advised for affected deployments.

Affected Version(s)

DXP 7.4.13 <= 7.4.13.u3

DXP 7.3.10 <= 7.3.10.u11

DXP 7.2.10 <= 7.2.10-dxp-19

References

https://liferay.dev/portal/security/known-vulnerabilities...

vendor-advisory

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2024
Vulnerability Reserved
Feb 8, 2024