Platform
java
Component
expando
Fixed in
7.4.3
7.3.11
7.2.11
CVE-2024-25601 describes a stored cross-site scripting (XSS) vulnerability affecting the Expando module's geolocation custom fields in Liferay Portal. This vulnerability allows remote, authenticated users to inject arbitrary web scripts or HTML, potentially leading to account takeover or defacement. The vulnerability impacts versions 7.2.0 through 7.4.2, as well as older unsupported versions and Liferay DXP versions prior to service pack 3 for 7.3 and fix pack 17 for 7.2. A fix is available in version 7.4.3.
Successful exploitation of CVE-2024-25601 allows an attacker to inject malicious JavaScript code into the Liferay Portal environment. This code can then be executed in the context of other authenticated users who view the affected geolocation custom field. The attacker could potentially steal session cookies, redirect users to phishing sites, or modify the content displayed on the portal. The blast radius extends to all authenticated users who interact with custom fields utilizing the geolocation feature. This vulnerability is particularly concerning given the prevalence of Liferay Portal in enterprise environments and the potential for widespread impact.
CVE-2024-25601 was publicly disclosed on February 21, 2024. No known public proof-of-concept exploits are currently available, but the ease of exploitation inherent in XSS vulnerabilities suggests a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL severity and the wide adoption of Liferay Portal, organizations should prioritize patching.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-25601 is to upgrade to Liferay Portal version 7.4.3 or later. If upgrading immediately is not feasible, consider restricting access to the geolocation custom fields or implementing strict input validation on the 'name' text field. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting custom fields can provide an additional layer of defense. Monitor Liferay logs for suspicious activity, particularly attempts to inject script tags or event handlers into custom field names. After upgrading, confirm the fix by attempting to inject a simple XSS payload into a geolocation custom field and verifying that it is properly sanitized.
Update Liferay Portal to the latest version. For Liferay DXP 7.3, update to service pack 3 or later. For Liferay DXP 7.2, update to fix pack 17 or later. This will resolve the stored XSS vulnerability in the Expando module's geolocation custom fields.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25601 is a critical stored cross-site scripting (XSS) vulnerability in Liferay Portal versions 7.2.0 through 7.4.2, allowing authenticated users to inject malicious scripts.
If you are running Liferay Portal versions 7.2.0 through 7.4.2, or older unsupported versions, and Liferay DXP versions prior to service pack 3 for 7.3 and fix pack 17 for 7.2, you are potentially affected.
Upgrade to Liferay Portal version 7.4.3 or later to remediate the vulnerability. Consider input validation and WAF rules as interim measures.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation if left unpatched.
Refer to the official Liferay security advisory for detailed information and mitigation steps: [https://liferay.com/portal/security-advisories](https://liferay.com/portal/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.