1. Home
  2. CVE Database
  3. CVE-2024-25610
CRITICAL · 9.0

CVE-2024-25610

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default ...

Vulnerability Description

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

CVSS Score

9.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
LiferayDigital Experience Platform< 7.2
LiferayLiferay Portal< 7.4.3.13

Related Weaknesses (CWE)

CWE-1188

References

FAQ

What is CVE-2024-25610?

CVE-2024-25610 is a vulnerability with a CVSS score of 9.0 (CRITICAL). In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default ...

How severe is CVE-2024-25610?

CVE-2024-25610 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-25610?

Check the references section above for vendor advisories and patch information. Affected products include: Liferay Digital Experience Platform, Liferay Liferay Portal.