XXE vulnerability in Liferay Portal allows attackers to obtain sensitive information or consume system resources
CVE-2024-25606
What is CVE-2024-25606?
The Liferay Portal and Liferay DXP products exhibit a vulnerability allowing XML External Entity (XXE) attacks. This issue is present in versions 7.2.0 through 7.4.3.7 of Liferay Portal, as well as in Liferay DXP 7.4 before update 4, 7.3 before update 12, and 7.2 before fix pack 20. An attacker with deployment permissions for widgets, portlets, or extensions could exploit the Java2WsddTask._format method to access sensitive information or deplete system resources. Previous unsupported versions are also vulnerable, highlighting the need for users to prioritize updates to mitigate such risks. Comprehensive security assessments and remedial actions are advised for affected deployments.
Affected Version(s)
DXP 7.4.13 <= 7.4.13.u3
DXP 7.3.10 <= 7.3.10.u11
DXP 7.2.10 <= 7.2.10-dxp-19