CVE-2024-25603 — Liferay Portal's Dynamic Data Mapping module's DDMForm and Liferay DXP vulnerabl

Description

Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter.

How to fix CVE-2024-25603

To remediate CVE-2024-25603, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 7.4.3.5 or later

Is CVE-2024-25603 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.4.13.u1, <= 7.4.13.u102
from 0, < 7.4.3.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25603
PATCHgithub.com/liferay/liferay-portal
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25603