← Back

CVE-2024-25610

nvd nist
Published: Feb 20, 2024Modified: Dec 11, 2024

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.3 / Impact: 2.7
Source: NVD

Description

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

Affected (41)

Liferay
2 products
Digital Experience Platform
Liferay Portal
Configuration A
41 vulnerable
Vulnerable SoftwareAffected Versions
Liferay
Digital Experience Platform
Before 7.2
Digital Experience Platform
Version 7.2
Digital Experience Platform
Version 7.2 fix_pack_10
Digital Experience Platform
Version 7.2 fix_pack_11
Digital Experience Platform
Version 7.2 fix_pack_12
Digital Experience Platform
Version 7.2 fix_pack_13
Digital Experience Platform
Version 7.2 fix_pack_14
Digital Experience Platform
Version 7.2 fix_pack_15
Digital Experience Platform
Version 7.2 fix_pack_16
Digital Experience Platform
Version 7.2 fix_pack_17
Digital Experience Platform
Version 7.2 fix_pack_18
Digital Experience Platform
Version 7.2 fix_pack_1
Digital Experience Platform
Version 7.2 fix_pack_2
Digital Experience Platform
Version 7.2 fix_pack_3
Digital Experience Platform
Version 7.2 fix_pack_4
Digital Experience Platform
Version 7.2 fix_pack_5
Digital Experience Platform
Version 7.2 fix_pack_6
Digital Experience Platform
Version 7.2 fix_pack_7
Digital Experience Platform
Version 7.2 fix_pack_8
Digital Experience Platform
Version 7.2 fix_pack_9
Digital Experience Platform
Version 7.2 service_pack_1
Digital Experience Platform
Version 7.2 service_pack_2
Digital Experience Platform
Version 7.2 service_pack_3
Digital Experience Platform
Version 7.2 service_pack_4
Digital Experience Platform
Version 7.2 service_pack_5
Digital Experience Platform
Version 7.2 service_pack_6
Digital Experience Platform
Version 7.3
Digital Experience Platform
Version 7.3 fix_pack_1
Digital Experience Platform
Version 7.3 fix_pack_2
Digital Experience Platform
Version 7.3 service_pack_1
Digital Experience Platform
Version 7.3 service_pack_3
Digital Experience Platform
Version 7.4
Digital Experience Platform
Version 7.4 update1
Digital Experience Platform
Version 7.4 update2
Digital Experience Platform
Version 7.4 update3
Digital Experience Platform
Version 7.4 update4
Digital Experience Platform
Version 7.4 update5
Digital Experience Platform
Version 7.4 update6
Digital Experience Platform
Version 7.4 update7
Digital Experience Platform
Version 7.4 update8
Liferay Portal
Before 7.4.3.13

Related CWEs

CWE-1188
Initialization of a Resource with an Insecure Default
The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References (2)

Source: security@liferay.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.