CVE-2024-25144 — Infinite Loop in Portal

CWE-835 — Infinite Loop CWE-834 — Excessive Iteration4 documents4 sources

Severity

6.5MEDIUMNVD

CNA4.1

EPSS

0.3%

top 45.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedFeb 8

Description

The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDliferay/liferay_portal7.2.0 — 7.4.3.26

▶CVEListV5liferay/portal7.2.0 — 7.4.3.26

▶CVEListV5liferay/dxp7.4.13 — 7.4.13.u26+2

▶NVDliferay/dxp7.3, 7.4+1

▶NVDliferay/digital_experience_platform7.2

🔴Vulnerability Details

GHSA

Liferay Portal denial-of-service vulnerability↗2024-02-08

▶

CVEList

CVE-2024-25144: The IFrame widget in Liferay Portal 7↗2024-02-08

▶

OSV

Liferay Portal denial-of-service vulnerability↗2024-02-08

▶