CVE-2024-25143

MEDIUM

Liferay Digital Experience Platform 7.2.0-7.3.6 - Authenticated Denial of Service via PNG Preview Generation

Title source: llm

Description

The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.

References (1)

Core 1

Core References

Mitigation, Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25143

Scores

CVSS v3 6.5

EPSS 0.0075

EPSS Percentile 73.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (5)

com.liferay.portal/release.portal.bom 7.2.0 - 7.3.7Maven

liferay/digital_experience_platform 7.2 (13 CPE variants)

liferay/digital_experience_platform 7.3 (2 CPE variants)

liferay/digital_experience_platform < 7.2

liferay/liferay_portal < 7.2.0

Published Feb 07, 2024

Tracked Since Feb 18, 2026