平台
java
组件
message-board-widget
修复版本
7.4.3
7.3.11
7.2.11
CVE-2024-25152 describes a stored cross-site scripting (XSS) vulnerability affecting Liferay Portal versions 7.2.0 through 7.4.2, as well as older unsupported versions and Liferay DXP. An attacker can inject arbitrary web script or HTML by manipulating the filename of an attachment within the Message Board widget. This vulnerability poses a significant risk to data integrity and user security, and can lead to account compromise. The vulnerability was published on 2024-02-21 and a fix is available in version 7.4.3.
Successful exploitation of CVE-2024-25152 allows an attacker to inject malicious JavaScript code into the Liferay Portal environment. This code executes within the context of other authenticated users' browsers when they interact with the Message Board widget. The attacker can then steal session cookies, redirect users to phishing sites, deface the website, or execute arbitrary actions on behalf of the victim user. The impact is particularly severe because the vulnerability is stored, meaning the malicious script persists until removed, potentially affecting numerous users. This is similar to other XSS vulnerabilities where attackers leverage user input to inject malicious code, but the attachment filename vector provides a subtle and potentially overlooked attack surface.
CVE-2024-25152 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature and severity suggest a potential for exploitation. The vulnerability was publicly disclosed on 2024-02-21, increasing the likelihood of exploitation attempts. Organizations using affected versions of Liferay Portal should prioritize patching to mitigate this risk.
Organizations heavily reliant on Liferay Portal for content management and collaboration are particularly at risk. Environments where users frequently upload attachments to the Message Board widget, such as internal knowledge bases or forums, face a higher probability of exploitation. Shared hosting environments using Liferay Portal are also vulnerable, as a compromised account on one site could potentially impact other sites on the same server.
• linux / server: Monitor Liferay logs (e.g., liferay.log) for suspicious attachment uploads or script execution attempts. Look for patterns indicative of XSS payloads in filenames.
grep -i 'script|alert|onerror' /opt/liferay/logs/liferay.log• generic web: Use curl to test the Message Board widget with a specially crafted filename containing XSS payloads. Examine the response for signs of script execution.
curl -X POST -d "filename=<script>alert('XSS')</script>" https://your-liferay-portal/o/message-board/add-attachment• wordpress / composer / npm: (Not applicable, as this is a Java/Liferay vulnerability) • database (mysql, redis, mongodb, postgresql): (Not applicable) • windows / supply-chain: (Not applicable)
disclosure
patch
漏洞利用状态
EPSS
0.15% (36% 百分位)
CVSS 向量
The primary mitigation for CVE-2024-25152 is to upgrade Liferay Portal to version 7.4.3 or later. If immediate upgrading is not possible, consider implementing input validation and sanitization on attachment filenames within the Message Board widget. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the Message Board widget can provide an additional layer of defense. Monitor Liferay logs for suspicious activity related to attachment uploads and unusual script execution. After upgrading, confirm the fix by attempting to upload an attachment with a malicious filename and verifying that the script is not executed.
将 Liferay Portal 更新到 7.4.2 或更高版本,或应用 Liferay 提供的安全补丁。对于 Liferay DXP,请更新到 7.3 Service Pack 3 或 7.2 Fix Pack 17 或更高版本。请参阅 Liferay 安全公告以获取详细说明。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-25152 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.2.0–7.4.2, allowing attackers to inject malicious scripts via attachment filenames.
If you are running Liferay Portal versions 7.2.0–7.4.2, or older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, you are potentially affected.
Upgrade Liferay Portal to version 7.4.3 or later. Implement input validation on attachment filenames as a temporary workaround.
While there's no confirmed active exploitation, the vulnerability's severity and public disclosure increase the risk of exploitation attempts.
Refer to the official Liferay security advisory: [https://liferay.com/security-advisories/liferay-portal-7-4-3-released](https://liferay.com/security-advisories/liferay-portal-7-4-3-released)
上传你的 pom.xml 文件,立即知道是否受影响。