Liferay Portal 动态数据映射模块的 DDMForm 和 Liferay DXP 存在存储型跨站脚本 (Cross-site Scripting) 漏洞

Successful exploitation of CVE-2024-25603 allows an attacker to inject malicious JavaScript code into Liferay Portal pages viewed by other authenticated users. This can be leveraged to steal session cookies, redirect users to phishing sites, or modify the content of the portal. The impact is particularly severe because the vulnerability is stored, meaning the injected script persists until removed, potentially affecting a large number of users. An attacker could also use this to gain administrative privileges if the injected script targets administrative functions, leading to complete control of the Liferay instance. This vulnerability shares similarities with other XSS vulnerabilities where malicious scripts are injected into trusted websites to compromise user accounts.

Organizations using Liferay Portal and DXP in environments where authenticated users have access to the Dynamic Data Mapping module are at risk. This includes businesses utilizing Liferay for content management, intranet portals, and customer experience platforms. Legacy Liferay installations running unsupported versions are particularly vulnerable due to lack of security updates.

• linux / server: Examine Liferay Portal access logs for suspicious requests targeting the DDMForm with unusual parameters in the instanceId field. Use grep to search for patterns like <script> or javascript: within these requests.

grep -i '<script' /path/to/liferay/portal/logs/access.log

• generic web: Use curl to test the DDMForm endpoint with a simple XSS payload in the instanceId parameter and observe the response for signs of script execution.

curl -X POST -d "instanceId=<script>alert('XSS')</script>" <liferay_portal_url>/ddm/forms/<form_id>

• java: Monitor Liferay Portal's internal logging for errors related to DDMForm processing or unexpected script execution. Analyze stack traces for clues related to the vulnerability. • wordpress / composer / npm: N/A - This vulnerability is specific to Liferay Portal, not WordPress or its dependencies. • database (mysql, redis, mongodb, postgresql): N/A - This vulnerability is not related to database systems.

1. 2024-02-21Disclosure

   disclosure

2. 2024-02-21Patch

   patch

1. 已保留2024-02-08
2. 发布日期2024-02-21
3. 修改日期2025-01-28
4. EPSS 更新日期2026-04-02

The primary mitigation for CVE-2024-25603 is to upgrade Liferay Portal to version 7.4.3.5 or later. If upgrading immediately is not possible, consider implementing input validation and output encoding on the instanceId parameter within the DDMForm. While not a complete fix, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the DDMForm can also provide a temporary layer of protection. Regularly review and update Liferay Portal's security configuration to ensure best practices are followed. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script through the DDMForm and verifying it is not executed.