CVE-2024-25606: XEE
First published: Tue Feb 20 2024(Updated: )
XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.
Credit: security@liferay.com security@liferay.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.liferay.portal:release.dxp.bom | <7.2.10.fp20 | 7.2.10.fp20 |
| maven/com.liferay.portal:release.dxp.bom | >=7.4.0<7.4.13.u4 | 7.4.13.u4 |
| maven/com.liferay.portal:release.dxp.bom | >=7.3.0<7.3.10.u12 | 7.3.10.u12 |
| maven/com.liferay.portal:release.portal.bom | <7.4.3.8 | 7.4.3.8 |
| maven/com.liferay.portal:com.liferay.util.java | <14.0.0 | 14.0.0 |
| Liferay DXP | <7.2 | |
| Liferay DXP | =7.2 | |
| Liferay DXP | =7.2-fix_pack_1 | |
| Liferay DXP | =7.2-fix_pack_10 | |
| Liferay DXP | =7.2-fix_pack_11 | |
| Liferay DXP | =7.2-fix_pack_12 | |
| Liferay DXP | =7.2-fix_pack_13 | |
| Liferay DXP | =7.2-fix_pack_14 | |
| Liferay DXP | =7.2-fix_pack_15 | |
| Liferay DXP | =7.2-fix_pack_16 | |
| Liferay DXP | =7.2-fix_pack_17 | |
| Liferay DXP | =7.2-fix_pack_18 | |
| Liferay DXP | =7.2-fix_pack_19 | |
| Liferay DXP | =7.2-fix_pack_2 | |
| Liferay DXP | =7.2-fix_pack_3 | |
| Liferay DXP | =7.2-fix_pack_4 | |
| Liferay DXP | =7.2-fix_pack_5 | |
| Liferay DXP | =7.2-fix_pack_6 | |
| Liferay DXP | =7.2-fix_pack_7 | |
| Liferay DXP | =7.2-fix_pack_8 | |
| Liferay DXP | =7.2-fix_pack_9 | |
| Liferay DXP | =7.2-service_pack_1 | |
| Liferay DXP | =7.2-service_pack_2 | |
| Liferay DXP | =7.2-service_pack_3 | |
| Liferay DXP | =7.2-service_pack_4 | |
| Liferay DXP | =7.2-service_pack_5 | |
| Liferay DXP | =7.2-service_pack_6 | |
| Liferay DXP | =7.2-service_pack_7 | |
| Liferay DXP | =7.3 | |
| Liferay DXP | =7.3-fix_pack_1 | |
| Liferay DXP | =7.3-fix_pack_2 | |
| Liferay DXP | =7.3-service_pack_1 | |
| Liferay DXP | =7.3-service_pack_3 | |
| Liferay DXP | =7.3-update10 | |
| Liferay DXP | =7.3-update11 | |
| Liferay DXP | =7.3-update4 | |
| Liferay DXP | =7.3-update5 | |
| Liferay DXP | =7.3-update6 | |
| Liferay DXP | =7.3-update7 | |
| Liferay DXP | =7.3-update8 | |
| Liferay DXP | =7.3-update9 | |
| Liferay DXP | =7.4 | |
| Liferay DXP | =7.4-update1 | |
| Liferay DXP | =7.4-update2 | |
| Liferay DXP | =7.4-update3 | |
| Liferay 7.4 GA | <7.4.3.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-25606?
CVE-2024-25606 is considered a critical vulnerability due to its potential to expose sensitive information.
How do I fix CVE-2024-25606?
To remediate CVE-2024-25606, upgrade Liferay Portal to versions 7.2.10.fp20, 7.3.10.u12, or 7.4.13.u4 or later.
Which versions of Liferay are affected by CVE-2024-25606?
CVE-2024-25606 affects Liferay Portal versions 7.2.0 through 7.4.3.7 and older unsupported versions.
What types of attacks does CVE-2024-25606 allow?
CVE-2024-25606 allows attackers withappropriate permissions to exploit XML External Entities (XXE) vulnerabilities.
Is there a patch available for CVE-2024-25606?
Yes, there are patches available for CVE-2024-25606 in the form of updated versions of Liferay Portal.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-869h-qhfx-w939
- alias/CVE-2024-25606
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/severity
- agent/event
- agent/author
- agent/trending
- collector/github-advisory
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/maven
- vendor/liferay
- canonical/liferay dxp
- version/liferay dxp/7.2
- version/liferay dxp/7.2-fix_pack_1
- version/liferay dxp/7.2-fix_pack_10
- version/liferay dxp/7.2-fix_pack_11
- version/liferay dxp/7.2-fix_pack_12
- version/liferay dxp/7.2-fix_pack_13
- version/liferay dxp/7.2-fix_pack_14
- version/liferay dxp/7.2-fix_pack_15
- version/liferay dxp/7.2-fix_pack_16
- version/liferay dxp/7.2-fix_pack_17
- version/liferay dxp/7.2-fix_pack_18
- version/liferay dxp/7.2-fix_pack_19
- version/liferay dxp/7.2-fix_pack_2
- version/liferay dxp/7.2-fix_pack_3
- version/liferay dxp/7.2-fix_pack_4
- version/liferay dxp/7.2-fix_pack_5
- version/liferay dxp/7.2-fix_pack_6
- version/liferay dxp/7.2-fix_pack_7
- version/liferay dxp/7.2-fix_pack_8
- version/liferay dxp/7.2-fix_pack_9
- version/liferay dxp/7.2-service_pack_1
- version/liferay dxp/7.2-service_pack_2
- version/liferay dxp/7.2-service_pack_3
- version/liferay dxp/7.2-service_pack_4
- version/liferay dxp/7.2-service_pack_5
- version/liferay dxp/7.2-service_pack_6
- version/liferay dxp/7.2-service_pack_7
- version/liferay dxp/7.3
- version/liferay dxp/7.3-fix_pack_1
- version/liferay dxp/7.3-fix_pack_2
- version/liferay dxp/7.3-service_pack_1
- version/liferay dxp/7.3-service_pack_3
- version/liferay dxp/7.3-update10
- version/liferay dxp/7.3-update11
- version/liferay dxp/7.3-update4
- version/liferay dxp/7.3-update5
- version/liferay dxp/7.3-update6
- version/liferay dxp/7.3-update7
- version/liferay dxp/7.3-update8
- version/liferay dxp/7.3-update9
- version/liferay dxp/7.4
- version/liferay dxp/7.4-update1
- version/liferay dxp/7.4-update2
- version/liferay dxp/7.4-update3
- canonical/liferay 7.4 ga