CVE-2024-25145
Liferay Portal stored cross-site scripting (XSS) vulnerability
Description
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.
How to fix CVE-2024-25145
To remediate CVE-2024-25145, upgrade the affected package to a fixed version below.
- —upgrade to 7.4.3.13u8 or later
- —upgrade to 7.4.3.12 or later
Is CVE-2024-25145 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.4.0, < 7.4.3.13u8
- from 0, < 7.4.3.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |