← Back

CVE-2024-25606

nvd nist
Published: Feb 20, 2024Modified: Dec 11, 2024

JSON object

Loading...
8.7
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H
Exploitability: 2.3 / Impact: 5.8
Source: NVD

Description

XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.

Affected (46)

Liferay
2 products
Digital Experience Platform
Liferay Portal
Configuration A
46 vulnerable
Vulnerable SoftwareAffected Versions
Liferay
Digital Experience Platform
Before 7.2
Digital Experience Platform
Version 7.2
Digital Experience Platform
Version 7.2 fix_pack_10
Digital Experience Platform
Version 7.2 fix_pack_11
Digital Experience Platform
Version 7.2 fix_pack_12
Digital Experience Platform
Version 7.2 fix_pack_13
Digital Experience Platform
Version 7.2 fix_pack_14
Digital Experience Platform
Version 7.2 fix_pack_15
Digital Experience Platform
Version 7.2 fix_pack_16
Digital Experience Platform
Version 7.2 fix_pack_17
Digital Experience Platform
Version 7.2 fix_pack_18
Digital Experience Platform
Version 7.2 fix_pack_19
Digital Experience Platform
Version 7.2 fix_pack_1
Digital Experience Platform
Version 7.2 fix_pack_2
Digital Experience Platform
Version 7.2 fix_pack_3
Digital Experience Platform
Version 7.2 fix_pack_4
Digital Experience Platform
Version 7.2 fix_pack_5
Digital Experience Platform
Version 7.2 fix_pack_6
Digital Experience Platform
Version 7.2 fix_pack_7
Digital Experience Platform
Version 7.2 fix_pack_8
Digital Experience Platform
Version 7.2 fix_pack_9
Digital Experience Platform
Version 7.2 service_pack_1
Digital Experience Platform
Version 7.2 service_pack_2
Digital Experience Platform
Version 7.2 service_pack_3
Digital Experience Platform
Version 7.2 service_pack_4
Digital Experience Platform
Version 7.2 service_pack_5
Digital Experience Platform
Version 7.2 service_pack_6
Digital Experience Platform
Version 7.2 service_pack_7
Digital Experience Platform
Version 7.3
Digital Experience Platform
Version 7.3 fix_pack_1
Digital Experience Platform
Version 7.3 fix_pack_2
Digital Experience Platform
Version 7.3 service_pack_1
Digital Experience Platform
Version 7.3 service_pack_3
Digital Experience Platform
Version 7.3 update10
Digital Experience Platform
Version 7.3 update11
Digital Experience Platform
Version 7.3 update4
Digital Experience Platform
Version 7.3 update5
Digital Experience Platform
Version 7.3 update6
Digital Experience Platform
Version 7.3 update7
Digital Experience Platform
Version 7.3 update8
Digital Experience Platform
Version 7.3 update9
Digital Experience Platform
Version 7.4
Digital Experience Platform
Version 7.4 update1
Digital Experience Platform
Version 7.4 update2
Digital Experience Platform
Version 7.4 update3
Liferay Portal
Before 7.4.3.8

Related CWEs

CWE-611
Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

Source: security@liferay.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.