CVE-2024-25145

07.02.2024, 15:15

Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.6 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Liferay	CNA	9.6 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 30%

Vendor	Product	Version
liferay	digital_experience_platform	𝑥 < 7.2
liferay	digital_experience_platform	7.2
liferay	digital_experience_platform	7.2:fix_pack_1
liferay	digital_experience_platform	7.2:fix_pack_10
liferay	digital_experience_platform	7.2:fix_pack_11
liferay	digital_experience_platform	7.2:fix_pack_12
liferay	digital_experience_platform	7.2:fix_pack_13
liferay	digital_experience_platform	7.2:fix_pack_14
liferay	digital_experience_platform	7.2:fix_pack_15
liferay	digital_experience_platform	7.2:fix_pack_2
liferay	digital_experience_platform	7.2:fix_pack_3
liferay	digital_experience_platform	7.2:fix_pack_4
liferay	digital_experience_platform	7.2:fix_pack_5
liferay	digital_experience_platform	7.2:fix_pack_6
liferay	digital_experience_platform	7.2:fix_pack_7
liferay	digital_experience_platform	7.2:fix_pack_8
liferay	digital_experience_platform	7.2:fix_pack_9
liferay	dxp	7.3
liferay	dxp	7.3:fix_pack_2
liferay	dxp	7.3:sp1
liferay	dxp	7.3:sp2
liferay	dxp	7.3:sp3
liferay	dxp	7.3:update_1
liferay	dxp	7.3:update_2
liferay	dxp	7.3:update_3
liferay	dxp	7.4
liferay	dxp	7.4:update_1
liferay	dxp	7.4:update_2
liferay	dxp	7.4:update_3
liferay	dxp	7.4:update_4
liferay	dxp	7.4:update_5
liferay	dxp	7.4:update_6
liferay	dxp	7.4:update_7
liferay	liferay_portal	𝑥 ≤ 7.2.1
liferay	liferay_portal	7.3.0 ≤ 𝑥 ≤ 7.3.7
liferay	liferay_portal	7.4.0 ≤ 𝑥 < 7.4.3.12

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145