What is CVE-2024-25602 — XSS in Liferay Portal?

CVE-2024-25602 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal's Users Admin module, allowing attackers to inject malicious scripts.

Am I affected by CVE-2024-25602 in Liferay Portal?

You are affected if you are running Liferay Portal versions 7.2.0–7.4.2, or older unsupported versions, and Liferay DXP versions prior to service pack 3 for 7.3 and prior to fix pack 17 for 7.2.

How do I fix CVE-2024-25602 in Liferay Portal?

Upgrade to Liferay Portal 7.4.3 or later to remediate the vulnerability. Consider temporary workarounds like input validation and WAF rules if immediate upgrading is not possible.

Is CVE-2024-25602 being actively exploited?

While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity suggests a high probability of exploitation.

Where can I find the official Liferay advisory for CVE-2024-25602?

Refer to the official Liferay security advisory for detailed information and mitigation steps: [https://liferay.com/security-advisories/liferay-portal-and-dxp-security-vulnerability-xss-in-users-admin-module](https://liferay.com/security-advisories/liferay-portal-and-dxp-security-vulnerability-xss-in-users-admin-module)

CVE-2024-25602 — Vulnerability Details

NEXTGUARD

Escanear grátis

CVE-2024-25602 — Vulnerability Details | NextGuard

Passos de Detecçãotraduzindo…

• linux / server:

journalctl -u liferay -g "XSS injection"

• generic web:

curl -I 'https://<liferay_portal_url>/users/admin/edit-user?organizationName=<xss_payload>' | grep 'Content-Security-Policy'

• wordpress / composer / npm: (Not applicable - Liferay is not a WordPress/Composer/npm project) • database (mysql, redis, mongodb, postgresql): (Not applicable - XSS is a web vulnerability) • windows / supply-chain: (Not applicable - Liferay is not a Windows/supply-chain application)

Vulnerabilidade de Cross-Site Scripting (XSS) armazenada na página de edição de usuário do módulo Users Admin em Liferay Portal 7.2.0 até 7.4.2, e versões não suportadas mais antigas, e Liferay DXP 7.3 antes do service pack 3,

Impacto e Cenários de Ataquetraduzindo…

Contexto de Exploraçãotraduzindo…

Quem Está em Riscotraduzindo…

Passos de Detecçãotraduzindo…

Linha do Tempo do Ataque

Inteligência de Ameaças

Software Afetado

Classificação de Fraqueza (CWE)

Linha do tempo

Mitigação e Soluções Alternativastraduzindo…

Como corrigir

Boletim de Segurança CVE

Perguntas frequentestraduzindo…

What is CVE-2024-25602 — XSS in Liferay Portal?

Am I affected by CVE-2024-25602 in Liferay Portal?

How do I fix CVE-2024-25602 in Liferay Portal?

Is CVE-2024-25602 being actively exploited?

Where can I find the official Liferay advisory for CVE-2024-25602?

Seu projeto está afetado?

Detecte esta CVE no seu projeto