Platform
java
Component
liferay-portal
Fixed in
7.4.2
7.3.11
7.2.11
CVE-2024-25147 is a critical Cross-Site Scripting (XSS) vulnerability discovered in Liferay Portal versions 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15. This vulnerability allows remote attackers to inject malicious web scripts, potentially leading to account takeover or defacement. A fix is available in version 7.4.2, and users are strongly advised to upgrade immediately.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into a user's browser session, allowing them to execute malicious actions as that user. This could include stealing session cookies, redirecting users to phishing sites, modifying page content, or even gaining complete control of the user's account. The vulnerability’s location within HtmlUtil.escapeJsLink suggests that it could be triggered through various input vectors, making exploitation relatively straightforward. Successful exploitation could compromise sensitive data stored within Liferay Portal, including user credentials, configuration settings, and business-critical information. Given the widespread use of Liferay Portal in enterprise environments, the potential blast radius of this vulnerability is substantial.
CVE-2024-25147 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been definitively confirmed, the vulnerability's CRITICAL severity and ease of exploitation make it a high-priority target for attackers. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-25147 is to upgrade to Liferay Portal version 7.4.2 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data is crucial. Web Application Firewalls (WAFs) can be configured to detect and block malicious JavaScript payloads. Review and tighten access controls to limit the potential impact of a successful attack. Monitor Liferay Portal logs for suspicious activity, particularly unusual JavaScript execution patterns. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with a known malicious payload and verifying that the input is properly sanitized.
Update Liferay Portal to a version later than 7.4.1 or apply the security patches provided by Liferay. For Liferay DXP, update to version 7.3 Service Pack 3 or 7.2 Fix Pack 15 or later. See the Liferay security advisory for detailed instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25147 is a critical Cross-Site Scripting (XSS) vulnerability in Liferay Portal versions 7.2.0–7.4.1, allowing attackers to inject malicious scripts.
If you are running Liferay Portal 7.2.0–7.4.1, or older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, you are affected by this vulnerability.
Upgrade to Liferay Portal version 7.4.2 or later to remediate the vulnerability. Implement temporary workarounds like input validation if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official Liferay security advisory for detailed information and updates: [https://liferay.com/security/advisory/liferay-portal-7-4-2-released](https://liferay.com/security/advisory/liferay-portal-7-4-2-released)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.