Plattform
java
Komponente
message-board-widget
Behoben in
7.4.3
7.3.11
7.2.11
CVE-2024-25152 describes a stored cross-site scripting (XSS) vulnerability affecting Liferay Portal versions 7.2.0 through 7.4.2, as well as older unsupported versions and Liferay DXP. An attacker can inject arbitrary web script or HTML by manipulating the filename of an attachment within the Message Board widget. This vulnerability poses a significant risk to data integrity and user security, and can lead to account compromise. The vulnerability was published on 2024-02-21 and a fix is available in version 7.4.3.
Successful exploitation of CVE-2024-25152 allows an attacker to inject malicious JavaScript code into the Liferay Portal environment. This code executes within the context of other authenticated users' browsers when they interact with the Message Board widget. The attacker can then steal session cookies, redirect users to phishing sites, deface the website, or execute arbitrary actions on behalf of the victim user. The impact is particularly severe because the vulnerability is stored, meaning the malicious script persists until removed, potentially affecting numerous users. This is similar to other XSS vulnerabilities where attackers leverage user input to inject malicious code, but the attachment filename vector provides a subtle and potentially overlooked attack surface.
CVE-2024-25152 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature and severity suggest a potential for exploitation. The vulnerability was publicly disclosed on 2024-02-21, increasing the likelihood of exploitation attempts. Organizations using affected versions of Liferay Portal should prioritize patching to mitigate this risk.
Organizations heavily reliant on Liferay Portal for content management and collaboration are particularly at risk. Environments where users frequently upload attachments to the Message Board widget, such as internal knowledge bases or forums, face a higher probability of exploitation. Shared hosting environments using Liferay Portal are also vulnerable, as a compromised account on one site could potentially impact other sites on the same server.
• linux / server: Monitor Liferay logs (e.g., liferay.log) for suspicious attachment uploads or script execution attempts. Look for patterns indicative of XSS payloads in filenames.
grep -i 'script|alert|onerror' /opt/liferay/logs/liferay.log• generic web: Use curl to test the Message Board widget with a specially crafted filename containing XSS payloads. Examine the response for signs of script execution.
curl -X POST -d "filename=<script>alert('XSS')</script>" https://your-liferay-portal/o/message-board/add-attachment• wordpress / composer / npm: (Not applicable, as this is a Java/Liferay vulnerability) • database (mysql, redis, mongodb, postgresql): (Not applicable) • windows / supply-chain: (Not applicable)
disclosure
patch
Exploit-Status
EPSS
0.15% (36% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-25152 is to upgrade Liferay Portal to version 7.4.3 or later. If immediate upgrading is not possible, consider implementing input validation and sanitization on attachment filenames within the Message Board widget. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the Message Board widget can provide an additional layer of defense. Monitor Liferay logs for suspicious activity related to attachment uploads and unusual script execution. After upgrading, confirm the fix by attempting to upload an attachment with a malicious filename and verifying that the script is not executed.
Actualice Liferay Portal a una versión posterior a la 7.4.2 o aplique los parches de seguridad proporcionados por Liferay. Para Liferay DXP, actualice a la versión 7.3 Service Pack 3 o 7.2 Fix Pack 17, o una versión posterior. Consulte el anuncio de seguridad de Liferay para obtener instrucciones detalladas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-25152 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.2.0–7.4.2, allowing attackers to inject malicious scripts via attachment filenames.
If you are running Liferay Portal versions 7.2.0–7.4.2, or older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, you are potentially affected.
Upgrade Liferay Portal to version 7.4.3 or later. Implement input validation on attachment filenames as a temporary workaround.
While there's no confirmed active exploitation, the vulnerability's severity and public disclosure increase the risk of exploitation attempts.
Refer to the official Liferay security advisory: [https://liferay.com/security-advisories/liferay-portal-7-4-3-released](https://liferay.com/security-advisories/liferay-portal-7-4-3-released)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.