CVE-2024-25610: XSS
First published: Tue Feb 20 2024(Updated: )
In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.
Credit: security@liferay.com security@liferay.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.liferay.portal:com.liferay.portal.web | <5.0.96 | 5.0.96 |
| maven/com.liferay.portal:release.dxp.bom | <7.2.10.fp19 | 7.2.10.fp19 |
| maven/com.liferay.portal:release.dxp.bom | >=7.3.0<7.3.10.u4 | 7.3.10.u4 |
| maven/com.liferay.portal:release.dxp.bom | >=7.4.0<7.4.13.u9 | 7.4.13.u9 |
| maven/com.liferay.portal:release.portal.bom | <7.4.3.13 | 7.4.3.13 |
| Liferay DXP | <7.2 | |
| Liferay DXP | =7.2 | |
| Liferay DXP | =7.2-fix_pack_1 | |
| Liferay DXP | =7.2-fix_pack_10 | |
| Liferay DXP | =7.2-fix_pack_11 | |
| Liferay DXP | =7.2-fix_pack_12 | |
| Liferay DXP | =7.2-fix_pack_13 | |
| Liferay DXP | =7.2-fix_pack_14 | |
| Liferay DXP | =7.2-fix_pack_15 | |
| Liferay DXP | =7.2-fix_pack_16 | |
| Liferay DXP | =7.2-fix_pack_17 | |
| Liferay DXP | =7.2-fix_pack_18 | |
| Liferay DXP | =7.2-fix_pack_2 | |
| Liferay DXP | =7.2-fix_pack_3 | |
| Liferay DXP | =7.2-fix_pack_4 | |
| Liferay DXP | =7.2-fix_pack_5 | |
| Liferay DXP | =7.2-fix_pack_6 | |
| Liferay DXP | =7.2-fix_pack_7 | |
| Liferay DXP | =7.2-fix_pack_8 | |
| Liferay DXP | =7.2-fix_pack_9 | |
| Liferay DXP | =7.2-service_pack_1 | |
| Liferay DXP | =7.2-service_pack_2 | |
| Liferay DXP | =7.2-service_pack_3 | |
| Liferay DXP | =7.2-service_pack_4 | |
| Liferay DXP | =7.2-service_pack_5 | |
| Liferay DXP | =7.2-service_pack_6 | |
| Liferay DXP | =7.3 | |
| Liferay DXP | =7.3-fix_pack_1 | |
| Liferay DXP | =7.3-fix_pack_2 | |
| Liferay DXP | =7.3-service_pack_1 | |
| Liferay DXP | =7.3-service_pack_3 | |
| Liferay DXP | =7.4 | |
| Liferay DXP | =7.4-update1 | |
| Liferay DXP | =7.4-update2 | |
| Liferay DXP | =7.4-update3 | |
| Liferay DXP | =7.4-update4 | |
| Liferay DXP | =7.4-update5 | |
| Liferay DXP | =7.4-update6 | |
| Liferay DXP | =7.4-update7 | |
| Liferay DXP | =7.4-update8 | |
| Liferay 7.4 GA | <7.4.3.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-25610?
CVE-2024-25610 has a high severity level due to potential cross-site scripting vulnerabilities in Liferay Portal.
How do I fix CVE-2024-25610?
To fix CVE-2024-25610, upgrade to the latest recommended versions of Liferay Portal or Liferay DXP listed in the vulnerability report.
Which versions of Liferay are affected by CVE-2024-25610?
CVE-2024-25610 affects Liferay Portal versions 7.2.0 through 7.4.3.12 and older unsupported versions, as well as specific versions of Liferay DXP.
Can remote authenticated users exploit CVE-2024-25610?
Yes, CVE-2024-25610 allows remote authenticated users to inject JavaScript into blog entries due to insufficient sanitization.
Are older versions of Liferay affected by CVE-2024-25610?
Yes, older unsupported versions of Liferay Portal and Liferay DXP prior to the specified fixed versions are also affected by CVE-2024-25610.
- agent/weakness
- agent/description
- agent/type
- agent/first-publish-date
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vvpf-53qx-cxhh
- alias/CVE-2024-25610
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/event
- agent/trending
- collector/github-advisory
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/maven
- vendor/liferay
- canonical/liferay dxp
- version/liferay dxp/7.2
- version/liferay dxp/7.2-fix_pack_1
- version/liferay dxp/7.2-fix_pack_10
- version/liferay dxp/7.2-fix_pack_11
- version/liferay dxp/7.2-fix_pack_12
- version/liferay dxp/7.2-fix_pack_13
- version/liferay dxp/7.2-fix_pack_14
- version/liferay dxp/7.2-fix_pack_15
- version/liferay dxp/7.2-fix_pack_16
- version/liferay dxp/7.2-fix_pack_17
- version/liferay dxp/7.2-fix_pack_18
- version/liferay dxp/7.2-fix_pack_2
- version/liferay dxp/7.2-fix_pack_3
- version/liferay dxp/7.2-fix_pack_4
- version/liferay dxp/7.2-fix_pack_5
- version/liferay dxp/7.2-fix_pack_6
- version/liferay dxp/7.2-fix_pack_7
- version/liferay dxp/7.2-fix_pack_8
- version/liferay dxp/7.2-fix_pack_9
- version/liferay dxp/7.2-service_pack_1
- version/liferay dxp/7.2-service_pack_2
- version/liferay dxp/7.2-service_pack_3
- version/liferay dxp/7.2-service_pack_4
- version/liferay dxp/7.2-service_pack_5
- version/liferay dxp/7.2-service_pack_6
- version/liferay dxp/7.3
- version/liferay dxp/7.3-fix_pack_1
- version/liferay dxp/7.3-fix_pack_2
- version/liferay dxp/7.3-service_pack_1
- version/liferay dxp/7.3-service_pack_3
- version/liferay dxp/7.4
- version/liferay dxp/7.4-update1
- version/liferay dxp/7.4-update2
- version/liferay dxp/7.4-update3
- version/liferay dxp/7.4-update4
- version/liferay dxp/7.4-update5
- version/liferay dxp/7.4-update6
- version/liferay dxp/7.4-update7
- version/liferay dxp/7.4-update8
- canonical/liferay 7.4 ga