Platform
java
Component
expando
Opgelost in
7.4.3
7.3.11
7.2.11
CVE-2024-25601 describes a stored cross-site scripting (XSS) vulnerability affecting the Expando module's geolocation custom fields in Liferay Portal. This vulnerability allows remote, authenticated users to inject arbitrary web scripts or HTML, potentially leading to account takeover or defacement. The vulnerability impacts versions 7.2.0 through 7.4.2, as well as older unsupported versions and Liferay DXP versions prior to service pack 3 for 7.3 and fix pack 17 for 7.2. A fix is available in version 7.4.3.
Successful exploitation of CVE-2024-25601 allows an attacker to inject malicious JavaScript code into the Liferay Portal environment. This code can then be executed in the context of other authenticated users who view the affected geolocation custom field. The attacker could potentially steal session cookies, redirect users to phishing sites, or modify the content displayed on the portal. The blast radius extends to all authenticated users who interact with custom fields utilizing the geolocation feature. This vulnerability is particularly concerning given the prevalence of Liferay Portal in enterprise environments and the potential for widespread impact.
CVE-2024-25601 was publicly disclosed on February 21, 2024. No known public proof-of-concept exploits are currently available, but the ease of exploitation inherent in XSS vulnerabilities suggests a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL severity and the wide adoption of Liferay Portal, organizations should prioritize patching.
Organizations using Liferay Portal 7.2.0 through 7.4.2, particularly those with custom applications or integrations that heavily rely on geolocation custom fields, are at significant risk. Shared hosting environments where multiple users have access to Liferay Portal instances are also particularly vulnerable.
• linux / server:
journalctl -u liferay -g 'geolocation custom field' | grep -i '<script' • generic web:
curl -I 'https://your-liferay-portal/your/geolocation/custom/field?name=<script>alert(1)</script>' | grep 'Content-Type: text/html' disclosure
Exploit Status
EPSS
0.15% (36% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-25601 is to upgrade to Liferay Portal version 7.4.3 or later. If upgrading immediately is not feasible, consider restricting access to the geolocation custom fields or implementing strict input validation on the 'name' text field. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting custom fields can provide an additional layer of defense. Monitor Liferay logs for suspicious activity, particularly attempts to inject script tags or event handlers into custom field names. After upgrading, confirm the fix by attempting to inject a simple XSS payload into a geolocation custom field and verifying that it is properly sanitized.
Werk Liferay Portal bij naar de meest recente versie. Voor Liferay DXP 7.3, werk bij naar service pack 3 of hoger. Voor Liferay DXP 7.2, werk bij naar fix pack 17 of hoger. Dit zal de opgeslagen XSS-kwetsbaarheid in de geolocatie aangepaste velden van de Expando module oplossen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-25601 is a critical stored cross-site scripting (XSS) vulnerability in Liferay Portal versions 7.2.0 through 7.4.2, allowing authenticated users to inject malicious scripts.
If you are running Liferay Portal versions 7.2.0 through 7.4.2, or older unsupported versions, and Liferay DXP versions prior to service pack 3 for 7.3 and fix pack 17 for 7.2, you are potentially affected.
Upgrade to Liferay Portal version 7.4.3 or later to remediate the vulnerability. Consider input validation and WAF rules as interim measures.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation if left unpatched.
Refer to the official Liferay security advisory for detailed information and mitigation steps: [https://liferay.com/portal/security-advisories](https://liferay.com/portal/security-advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.