Platform
java
Component
message-board-widget
Fixed in
7.4.3
7.3.11
7.2.11
CVE-2024-25152 describes a stored cross-site scripting (XSS) vulnerability affecting Liferay Portal versions 7.2.0 through 7.4.2, as well as older unsupported versions and Liferay DXP. An attacker can inject arbitrary web script or HTML by manipulating the filename of an attachment within the Message Board widget. This vulnerability poses a significant risk to data integrity and user security, and can lead to account compromise. The vulnerability was published on 2024-02-21 and a fix is available in version 7.4.3.
Successful exploitation of CVE-2024-25152 allows an attacker to inject malicious JavaScript code into the Liferay Portal environment. This code executes within the context of other authenticated users' browsers when they interact with the Message Board widget. The attacker can then steal session cookies, redirect users to phishing sites, deface the website, or execute arbitrary actions on behalf of the victim user. The impact is particularly severe because the vulnerability is stored, meaning the malicious script persists until removed, potentially affecting numerous users. This is similar to other XSS vulnerabilities where attackers leverage user input to inject malicious code, but the attachment filename vector provides a subtle and potentially overlooked attack surface.
CVE-2024-25152 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature and severity suggest a potential for exploitation. The vulnerability was publicly disclosed on 2024-02-21, increasing the likelihood of exploitation attempts. Organizations using affected versions of Liferay Portal should prioritize patching to mitigate this risk.
Exploit Status
EPSS
0.15% (36% percentile)
CVSS Vector
The primary mitigation for CVE-2024-25152 is to upgrade Liferay Portal to version 7.4.3 or later. If immediate upgrading is not possible, consider implementing input validation and sanitization on attachment filenames within the Message Board widget. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the Message Board widget can provide an additional layer of defense. Monitor Liferay logs for suspicious activity related to attachment uploads and unusual script execution. After upgrading, confirm the fix by attempting to upload an attachment with a malicious filename and verifying that the script is not executed.
Update Liferay Portal to a version later than 7.4.2 or apply the security patches provided by Liferay. For Liferay DXP, update to version 7.3 Service Pack 3 or 7.2 Fix Pack 17, or a later version. See the Liferay security advisory for detailed instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25152 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.2.0–7.4.2, allowing attackers to inject malicious scripts via attachment filenames.
If you are running Liferay Portal versions 7.2.0–7.4.2, or older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, you are potentially affected.
Upgrade Liferay Portal to version 7.4.3 or later. Implement input validation on attachment filenames as a temporary workaround.
While there's no confirmed active exploitation, the vulnerability's severity and public disclosure increase the risk of exploitation attempts.
Refer to the official Liferay security advisory: [https://liferay.com/security-advisories/liferay-portal-7-4-3-released](https://liferay.com/security-advisories/liferay-portal-7-4-3-released)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.