CVE-2024-25606

HIGH

Liferay Portal <7.4.3.7 & DXP <7.4 - Info Disclosure

Title source: llm

Description

XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606

Scores

CVSS v3 8.0

EPSS 0.0014

EPSS Percentile 33.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (8)

com.liferay.portal/com.liferay.util.java 0 - 14.0.0Maven

com.liferay.portal/release.dxp.bom 7.3.0 - 7.3.10.u12Maven

com.liferay.portal/release.portal.bom 0 - 7.4.3.8Maven

liferay/digital_experience_platform 7.2 (27 CPE variants)

liferay/digital_experience_platform 7.3 (13 CPE variants)

liferay/digital_experience_platform 7.4 (4 CPE variants)

liferay/digital_experience_platform < 7.2

liferay/liferay_portal < 7.4.3.8

Published Feb 20, 2024

Tracked Since Feb 18, 2026