CVE-2024-25610 — Initialization of a Resource with an Insecure Default in Digital Experience Platform

CWE-1188 — Initialization of a Resource with an Insecure Default4 documents4 sources

Severity

5.4MEDIUMNVD

CNA9.0

EPSS

0.1%

top 71.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedFeb 20

Description

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶NVDliferay/liferay_portal< 7.4.3.13

▶CVEListV5liferay/portal7.2.0 — 7.4.3.12

▶NVDliferay/digital_experience_platform< 7.2+3

▶CVEListV5liferay/dxp7.4.13 — 7.4.13.u8+2

🔴Vulnerability Details

CVEList

CVE-2024-25610: In Liferay Portal 7↗2024-02-20

▶

OSV

Liferay Portal has a Stored XSS with Blog entries (Insecure defaults)↗2024-02-20

▶

GHSA

Liferay Portal has a Stored XSS with Blog entries (Insecure defaults)↗2024-02-20

▶