Platform
java
Component
portal-search
Fixed in
7.4.4
7.4.14
7.3.11
7.2.11
CVE-2024-25145 is a stored cross-site scripting (XSS) vulnerability affecting the Portal Search module's Search Result app in Liferay Portal. This vulnerability allows remote, authenticated users to inject arbitrary web scripts or HTML into the search results. The vulnerability impacts versions 7.2.0 through 7.4.3.11, as well as older unsupported versions and Liferay DXP versions prior to specific updates. A fix is available in Liferay Portal 7.4.4.
Successful exploitation of CVE-2024-25145 allows an attacker to execute malicious JavaScript code within the context of a user's browser session. This can lead to various consequences, including session hijacking, credential theft, defacement of the Liferay Portal interface, and redirection to malicious websites. The attacker needs to be an authenticated user of the portal to inject the malicious content. The impact is particularly severe because the vulnerability resides within a core search functionality, potentially affecting a large number of users and administrators who rely on search results for their daily tasks. The ability to inject arbitrary HTML also expands the attack surface beyond simple script execution, allowing for more sophisticated attacks.
CVE-2024-25145 was publicly disclosed on February 7, 2024. No known active exploitation campaigns have been reported at the time of writing. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the high severity of the vulnerability. This CVE is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.15% (36% percentile)
CVSS Vector
The primary mitigation for CVE-2024-25145 is to upgrade Liferay Portal to version 7.4.4 or later. If upgrading immediately is not feasible, consider disabling highlighting in the Search Result app as a temporary workaround. While this reduces functionality, it prevents the injection of malicious scripts. Review and audit all user-generated content added to the portal, particularly blog posts, message board messages, and web content articles, to identify and remove any potentially malicious scripts. Implement a Web Application Firewall (WAF) with XSS filtering rules to detect and block malicious requests. Regularly scan the Liferay Portal instance for vulnerabilities using a reputable vulnerability scanner.
Update Liferay Portal to the latest version. If updating is not possible, apply the security patches provided by Liferay for the affected versions. Ensure input and output filtering is enabled to prevent XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25145 is a critical stored XSS vulnerability in the Search Result app of Liferay Portal versions 7.2.0 through 7.4.3.11, allowing authenticated users to inject malicious scripts.
If you are running Liferay Portal versions 7.2.0 through 7.4.3.11, or older unsupported versions, and highlighting is enabled in the Search Result app, you are potentially affected.
Upgrade Liferay Portal to version 7.4.4 or later. As a temporary workaround, disable highlighting in the Search Result app.
No active exploitation campaigns have been publicly reported as of February 2024, but public PoCs are likely to emerge.
Refer to the official Liferay security advisory for CVE-2024-25145: [https://liferay.com/security/advisory/liferay-portal-7-4-4-released](https://liferay.com/security/advisory/liferay-portal-7-4-4-released)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.