Platform
java
Component
com.liferay.portal:release.portal.bom
Fixed in
7.4.4
7.4.14
7.3.11
7.2.11
7.4.3.5
CVE-2024-25603 describes a stored cross-site scripting (XSS) vulnerability discovered in the Dynamic Data Mapping (DDM) module of Liferay Portal. This vulnerability allows a remote, authenticated user to inject arbitrary web scripts or HTML, potentially leading to account takeover or defacement. The vulnerability impacts Liferay Portal versions 7.2.0 through 7.4.3.4, and older unsupported versions, as well as Liferay DXP 7.4.13, 7.3 before update 4, and 7.2 before fix pack 17. A fix is available in Liferay Portal 7.4.3.5.
Successful exploitation of CVE-2024-25603 allows an attacker to inject malicious JavaScript code into Liferay Portal pages viewed by other authenticated users. This can be leveraged to steal session cookies, redirect users to phishing sites, or modify the content of the portal. The impact is particularly severe because the vulnerability is stored, meaning the injected script persists until removed, potentially affecting a large number of users. An attacker could also use this to gain administrative privileges if the injected script targets administrative functions, leading to complete control of the Liferay instance. This vulnerability shares similarities with other XSS vulnerabilities where malicious scripts are injected into trusted websites to compromise user accounts.
CVE-2024-25603 was publicly disclosed on February 21, 2024. There is currently no indication of active exploitation in the wild, but the vulnerability's criticality and ease of exploitation suggest it could become a target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.
Exploit Status
EPSS
0.15% (36% percentile)
CVSS Vector
The primary mitigation for CVE-2024-25603 is to upgrade Liferay Portal to version 7.4.3.5 or later. If upgrading immediately is not possible, consider implementing input validation and output encoding on the instanceId parameter within the DDMForm. While not a complete fix, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the DDMForm can also provide a temporary layer of protection. Regularly review and update Liferay Portal's security configuration to ensure best practices are followed. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script through the DDMForm and verifying it is not executed.
Update Liferay Portal to the latest version that includes the fix for this XSS vulnerability. Refer to the Liferay security advisory for details on the patched versions and specific upgrade steps.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25603 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.2.0 through 7.4.3.4 and DXP, allowing authenticated users to inject malicious scripts.
You are affected if you are using Liferay Portal versions ≤7.4.3.4 or DXP versions 7.4.13, 7.3 before update 4, or 7.2 before fix pack 17.
Upgrade to Liferay Portal 7.4.3.5 or later. As a temporary measure, implement input validation and output encoding on the instanceId parameter.
There is currently no indication of active exploitation, but the vulnerability's criticality suggests it could become a target.
Refer to the official Liferay security advisory: [https://liferay.com/portal/security-advisory/liferay-portal-dxp-security-vulnerability-xss-in-ddmform](https://liferay.com/portal/security-advisory/liferay-portal-dxp-security-vulnerability-xss-in-ddmform)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.