CVE-2024-25144

MEDIUM

Liferay Portal/DXP <7.4.3.26-7.2 - DoS

Title source: llm

Description

The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144

Scores

CVSS v3 4.1

EPSS 0.0032

EPSS Percentile 54.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-834 CWE-835

Status published

Products (5)

com.liferay.portal/release.dxp.bom 7.2.0 - 7.2.10.fp19Maven

com.liferay.portal/release.portal.bom 7.2.0 - 7.4.3.27Maven

liferay/digital_experience_platform 7.2 (19 CPE variants)

liferay/dxp 7.3 (9 CPE variants)

liferay/dxp 7.4 (20 CPE variants)

Published Feb 08, 2024

Tracked Since Feb 18, 2026