Plattform
java
Komponente
portal-search
Behoben in
7.4.4
7.4.14
7.3.11
7.2.11
CVE-2024-25145 is a stored cross-site scripting (XSS) vulnerability affecting the Portal Search module's Search Result app in Liferay Portal. This vulnerability allows remote, authenticated users to inject arbitrary web scripts or HTML into the search results. The vulnerability impacts versions 7.2.0 through 7.4.3.11, as well as older unsupported versions and Liferay DXP versions prior to specific updates. A fix is available in Liferay Portal 7.4.4.
Successful exploitation of CVE-2024-25145 allows an attacker to execute malicious JavaScript code within the context of a user's browser session. This can lead to various consequences, including session hijacking, credential theft, defacement of the Liferay Portal interface, and redirection to malicious websites. The attacker needs to be an authenticated user of the portal to inject the malicious content. The impact is particularly severe because the vulnerability resides within a core search functionality, potentially affecting a large number of users and administrators who rely on search results for their daily tasks. The ability to inject arbitrary HTML also expands the attack surface beyond simple script execution, allowing for more sophisticated attacks.
CVE-2024-25145 was publicly disclosed on February 7, 2024. No known active exploitation campaigns have been reported at the time of writing. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the high severity of the vulnerability. This CVE is not currently listed on the CISA KEV catalog.
Organizations using Liferay Portal for internal collaboration, content management, or customer portals are at risk. Specifically, deployments with highlighting enabled in the Search Result app and where user-generated content is frequently added are particularly vulnerable. Legacy Liferay Portal installations running unsupported versions are also at significant risk due to lack of security updates.
• linux / server:
journalctl -u liferay -g "search result app"• generic web:
curl -I https://your-liferay-portal/search-result-app?q=test | grep -i content-security-policy• wordpress / composer / npm: (Not applicable, as Liferay is not a WordPress, Composer, or npm-based application) • database (mysql, redis, mongodb, postgresql): (Not applicable, as the vulnerability is not directly related to database configuration) • windows / supply-chain: (Not applicable, as Liferay is a Java-based application)
disclosure
Exploit-Status
EPSS
0.15% (36% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-25145 is to upgrade Liferay Portal to version 7.4.4 or later. If upgrading immediately is not feasible, consider disabling highlighting in the Search Result app as a temporary workaround. While this reduces functionality, it prevents the injection of malicious scripts. Review and audit all user-generated content added to the portal, particularly blog posts, message board messages, and web content articles, to identify and remove any potentially malicious scripts. Implement a Web Application Firewall (WAF) with XSS filtering rules to detect and block malicious requests. Regularly scan the Liferay Portal instance for vulnerabilities using a reputable vulnerability scanner.
Aktualisieren Sie Liferay Portal auf die neueste Version. Wenn ein Update nicht möglich ist, wenden Sie die von Liferay bereitgestellten Sicherheitspatches für die betroffenen Versionen an. Stellen Sie sicher, dass die Eingabe- und Ausgabefilterung aktiviert ist, um XSS-Angriffe zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-25145 is a critical stored XSS vulnerability in the Search Result app of Liferay Portal versions 7.2.0 through 7.4.3.11, allowing authenticated users to inject malicious scripts.
If you are running Liferay Portal versions 7.2.0 through 7.4.3.11, or older unsupported versions, and highlighting is enabled in the Search Result app, you are potentially affected.
Upgrade Liferay Portal to version 7.4.4 or later. As a temporary workaround, disable highlighting in the Search Result app.
No active exploitation campaigns have been publicly reported as of February 2024, but public PoCs are likely to emerge.
Refer to the official Liferay security advisory for CVE-2024-25145: [https://liferay.com/security/advisory/liferay-portal-7-4-4-released](https://liferay.com/security/advisory/liferay-portal-7-4-4-released)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.