CVE-2024-25145Cross-site Scripting in Digital Experience Platform

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
CNA9.6
EPSS
0.2%
top 64.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay Digital Experience PlatformLiferay PortalLiferay DXP+1 more
Timeline
PublishedFeb 7

Description

Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

NVDliferay/liferay_portal7.4.07.4.3.12+2
CVEListV5liferay/portal7.2.07.4.3.11
CVEListV5liferay/dxp7.4.137.4.13.u7+2
NVDliferay/dxp7.3, 7.4+1

🔴Vulnerability Details

3
OSV
Liferay Portal stored cross-site scripting (XSS) vulnerability2024-02-07
CVEList
CVE-2024-25145: Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 72024-02-07
GHSA
Liferay Portal stored cross-site scripting (XSS) vulnerability2024-02-07
CVE-2024-25145 — Cross-site Scripting | cvebase