プラットフォーム
java
コンポーネント
expando
修正版
7.4.3
7.3.11
7.2.11
CVE-2024-25601 describes a stored cross-site scripting (XSS) vulnerability affecting the Expando module's geolocation custom fields in Liferay Portal. This vulnerability allows remote, authenticated users to inject arbitrary web scripts or HTML, potentially leading to account takeover or defacement. The vulnerability impacts versions 7.2.0 through 7.4.2, as well as older unsupported versions and Liferay DXP versions prior to service pack 3 for 7.3 and fix pack 17 for 7.2. A fix is available in version 7.4.3.
Successful exploitation of CVE-2024-25601 allows an attacker to inject malicious JavaScript code into the Liferay Portal environment. This code can then be executed in the context of other authenticated users who view the affected geolocation custom field. The attacker could potentially steal session cookies, redirect users to phishing sites, or modify the content displayed on the portal. The blast radius extends to all authenticated users who interact with custom fields utilizing the geolocation feature. This vulnerability is particularly concerning given the prevalence of Liferay Portal in enterprise environments and the potential for widespread impact.
CVE-2024-25601 was publicly disclosed on February 21, 2024. No known public proof-of-concept exploits are currently available, but the ease of exploitation inherent in XSS vulnerabilities suggests a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL severity and the wide adoption of Liferay Portal, organizations should prioritize patching.
Organizations using Liferay Portal 7.2.0 through 7.4.2, particularly those with custom applications or integrations that heavily rely on geolocation custom fields, are at significant risk. Shared hosting environments where multiple users have access to Liferay Portal instances are also particularly vulnerable.
• linux / server:
journalctl -u liferay -g 'geolocation custom field' | grep -i '<script' • generic web:
curl -I 'https://your-liferay-portal/your/geolocation/custom/field?name=<script>alert(1)</script>' | grep 'Content-Type: text/html' disclosure
エクスプロイト状況
EPSS
0.15% (36% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-25601 is to upgrade to Liferay Portal version 7.4.3 or later. If upgrading immediately is not feasible, consider restricting access to the geolocation custom fields or implementing strict input validation on the 'name' text field. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting custom fields can provide an additional layer of defense. Monitor Liferay logs for suspicious activity, particularly attempts to inject script tags or event handlers into custom field names. After upgrading, confirm the fix by attempting to inject a simple XSS payload into a geolocation custom field and verifying that it is properly sanitized.
Liferay Portalを最新バージョンにアップデートしてください。Liferay DXP 7.3の場合は、service pack 3以降にアップデートしてください。Liferay DXP 7.2の場合は、fix pack 17以降にアップデートしてください。これにより、Expandoモジュールのジオロケーションカスタムフィールドにおける保存型XSS脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-25601 is a critical stored cross-site scripting (XSS) vulnerability in Liferay Portal versions 7.2.0 through 7.4.2, allowing authenticated users to inject malicious scripts.
If you are running Liferay Portal versions 7.2.0 through 7.4.2, or older unsupported versions, and Liferay DXP versions prior to service pack 3 for 7.3 and fix pack 17 for 7.2, you are potentially affected.
Upgrade to Liferay Portal version 7.4.3 or later to remediate the vulnerability. Consider input validation and WAF rules as interim measures.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation if left unpatched.
Refer to the official Liferay security advisory for detailed information and mitigation steps: [https://liferay.com/portal/security-advisories](https://liferay.com/portal/security-advisories)
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。