XXE vulnerability in Liferay Portal allows attackers to obtain sensitive information or consume system resources
CVE-2024-25606

8.7HIGH

Key Information:

Vendor

Liferay

Status
Vendor
CVE Published:
20 February 2024

What is CVE-2024-25606?

The Liferay Portal and Liferay DXP products exhibit a vulnerability allowing XML External Entity (XXE) attacks. This issue is present in versions 7.2.0 through 7.4.3.7 of Liferay Portal, as well as in Liferay DXP 7.4 before update 4, 7.3 before update 12, and 7.2 before fix pack 20. An attacker with deployment permissions for widgets, portlets, or extensions could exploit the Java2WsddTask._format method to access sensitive information or deplete system resources. Previous unsupported versions are also vulnerable, highlighting the need for users to prioritize updates to mitigate such risks. Comprehensive security assessments and remedial actions are advised for affected deployments.

Affected Version(s)

DXP 7.4.13 <= 7.4.13.u3

DXP 7.3.10 <= 7.3.10.u11

DXP 7.2.10 <= 7.2.10-dxp-19

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.