प्लेटफ़ॉर्म
java
घटक
liferay-portal
में ठीक किया गया
7.4.2
7.3.11
7.2.11
CVE-2024-25147 is a critical Cross-Site Scripting (XSS) vulnerability discovered in Liferay Portal versions 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15. This vulnerability allows remote attackers to inject malicious web scripts, potentially leading to account takeover or defacement. A fix is available in version 7.4.2, and users are strongly advised to upgrade immediately.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into a user's browser session, allowing them to execute malicious actions as that user. This could include stealing session cookies, redirecting users to phishing sites, modifying page content, or even gaining complete control of the user's account. The vulnerability’s location within HtmlUtil.escapeJsLink suggests that it could be triggered through various input vectors, making exploitation relatively straightforward. Successful exploitation could compromise sensitive data stored within Liferay Portal, including user credentials, configuration settings, and business-critical information. Given the widespread use of Liferay Portal in enterprise environments, the potential blast radius of this vulnerability is substantial.
CVE-2024-25147 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been definitively confirmed, the vulnerability's CRITICAL severity and ease of exploitation make it a high-priority target for attackers. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on Liferay Portal for content management, intranet portals, or customer-facing applications are at significant risk. Specifically, deployments using older, unsupported versions of Liferay Portal are particularly vulnerable, as they no longer receive security updates. Shared hosting environments where multiple tenants share the same Liferay Portal instance are also at increased risk, as a compromise of one tenant could potentially affect others.
• linux / server:
journalctl -u liferay-portal | grep -i "javascript:"• generic web:
curl -I <liferay_portal_url>/path/to/vulnerable/endpoint | grep -i "Content-Security-Policy"• wordpress / composer / npm: (Not applicable, as Liferay is not a WordPress/Composer/npm component) • database (mysql, redis, mongodb, postgresql): (Not applicable, as the vulnerability is not database-related) • windows / supply-chain: (Not applicable, as the vulnerability is not Windows/supply-chain related)
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.19% (41% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-25147 is to upgrade to Liferay Portal version 7.4.2 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data is crucial. Web Application Firewalls (WAFs) can be configured to detect and block malicious JavaScript payloads. Review and tighten access controls to limit the potential impact of a successful attack. Monitor Liferay Portal logs for suspicious activity, particularly unusual JavaScript execution patterns. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with a known malicious payload and verifying that the input is properly sanitized.
Liferay Portal को 7.4.1 के बाद के संस्करण में अपडेट करें या Liferay द्वारा प्रदान किए गए सुरक्षा पैच लागू करें। Liferay DXP के लिए, 7.3 सर्विस पैक 3 या 7.2 फिक्स पैक 15 या बाद के संस्करण में अपडेट करें। विस्तृत निर्देशों के लिए Liferay सुरक्षा घोषणा देखें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-25147 is a critical Cross-Site Scripting (XSS) vulnerability in Liferay Portal versions 7.2.0–7.4.1, allowing attackers to inject malicious scripts.
If you are running Liferay Portal 7.2.0–7.4.1, or older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, you are affected by this vulnerability.
Upgrade to Liferay Portal version 7.4.2 or later to remediate the vulnerability. Implement temporary workarounds like input validation if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official Liferay security advisory for detailed information and updates: [https://liferay.com/security/advisory/liferay-portal-7-4-2-released](https://liferay.com/security/advisory/liferay-portal-7-4-2-released)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी pom.xml फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।