CVE-2024-25610
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.
En Liferay Portal 7.2.0 a 7.4.3.12 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualización 9, 7.3 antes de la actualización 4, 7.2 antes del fixpack 19 y versiones anteriores no compatibles, la configuración predeterminada no sanitiza las entradas del blog de JavaScript , que permite a usuarios remotos autenticados inyectar script web o HTML (XSS) arbitrarios mediante un payload manipulado que se inyecto en el campo de texto de contenido de una entrada de blog.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-02-08 CVE Reserved
- 2024-02-20 CVE Published
- 2024-02-21 EPSS Updated
- 2024-08-28 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1188: Initialization of a Resource with an Insecure Default
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Liferay Search vendor "Liferay" | Portal Search vendor "Liferay" for product "Portal" | >= 7.2.0.0 <= 7.4.3.12 Search vendor "Liferay" for product "Portal" and version " >= 7.2.0.0 <= 7.4.3.12" | en |
Affected
| ||||||