平台
java
组件
liferay-portal
修复版本
7.4.2
7.3.11
7.2.11
CVE-2024-25147 is a critical Cross-Site Scripting (XSS) vulnerability discovered in Liferay Portal versions 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15. This vulnerability allows remote attackers to inject malicious web scripts, potentially leading to account takeover or defacement. A fix is available in version 7.4.2, and users are strongly advised to upgrade immediately.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into a user's browser session, allowing them to execute malicious actions as that user. This could include stealing session cookies, redirecting users to phishing sites, modifying page content, or even gaining complete control of the user's account. The vulnerability’s location within HtmlUtil.escapeJsLink suggests that it could be triggered through various input vectors, making exploitation relatively straightforward. Successful exploitation could compromise sensitive data stored within Liferay Portal, including user credentials, configuration settings, and business-critical information. Given the widespread use of Liferay Portal in enterprise environments, the potential blast radius of this vulnerability is substantial.
CVE-2024-25147 was publicly disclosed on February 21, 2024. While no active exploitation campaigns have been definitively confirmed, the vulnerability's CRITICAL severity and ease of exploitation make it a high-priority target for attackers. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on Liferay Portal for content management, intranet portals, or customer-facing applications are at significant risk. Specifically, deployments using older, unsupported versions of Liferay Portal are particularly vulnerable, as they no longer receive security updates. Shared hosting environments where multiple tenants share the same Liferay Portal instance are also at increased risk, as a compromise of one tenant could potentially affect others.
• linux / server:
journalctl -u liferay-portal | grep -i "javascript:"• generic web:
curl -I <liferay_portal_url>/path/to/vulnerable/endpoint | grep -i "Content-Security-Policy"• wordpress / composer / npm: (Not applicable, as Liferay is not a WordPress/Composer/npm component) • database (mysql, redis, mongodb, postgresql): (Not applicable, as the vulnerability is not database-related) • windows / supply-chain: (Not applicable, as the vulnerability is not Windows/supply-chain related)
disclosure
patch
漏洞利用状态
EPSS
0.19% (41% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-25147 is to upgrade to Liferay Portal version 7.4.2 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data is crucial. Web Application Firewalls (WAFs) can be configured to detect and block malicious JavaScript payloads. Review and tighten access controls to limit the potential impact of a successful attack. Monitor Liferay Portal logs for suspicious activity, particularly unusual JavaScript execution patterns. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with a known malicious payload and verifying that the input is properly sanitized.
将 Liferay Portal 更新到 7.4.1 或更高版本,或应用 Liferay 提供的安全补丁。对于 Liferay DXP,请更新到 7.3 Service Pack 3 或 7.2 Fix Pack 15 或更高版本。请参阅 Liferay 安全公告以获取详细说明。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-25147 is a critical Cross-Site Scripting (XSS) vulnerability in Liferay Portal versions 7.2.0–7.4.1, allowing attackers to inject malicious scripts.
If you are running Liferay Portal 7.2.0–7.4.1, or older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, you are affected by this vulnerability.
Upgrade to Liferay Portal version 7.4.2 or later to remediate the vulnerability. Implement temporary workarounds like input validation if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official Liferay security advisory for detailed information and updates: [https://liferay.com/security/advisory/liferay-portal-7-4-2-released](https://liferay.com/security/advisory/liferay-portal-7-4-2-released)
上传你的 pom.xml 文件,立即知道是否受影响。