CVE-2024-25610

CRITICAL

Liferay Portal <7.4.3.12 & DXP <7.2 - XSS

Title source: llm

Description

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610

Scores

CVSS v3 9.0

EPSS 0.0011

EPSS Percentile 28.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1188

Status published

Products (8)

com.liferay.portal/com.liferay.portal.web 0 - 5.0.96Maven

com.liferay.portal/release.dxp.bom 7.4.0 - 7.4.13.u9Maven

com.liferay.portal/release.portal.bom 0 - 7.4.3.13Maven

liferay/digital_experience_platform 7.2 (25 CPE variants)

liferay/digital_experience_platform 7.3 (5 CPE variants)

liferay/digital_experience_platform 7.4 (9 CPE variants)

liferay/digital_experience_platform < 7.2

liferay/liferay_portal < 7.4.3.13

Published Feb 20, 2024

Tracked Since Feb 18, 2026