CVE-2024-25606 — Liferay Portal has an XXE vulnerability in Java2WsddTask._format

Description

XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.

How to fix CVE-2024-25606

To remediate CVE-2024-25606, upgrade the affected package to a fixed version below.

—upgrade to 14.0.0 or later
—upgrade to 7.3.10.u12 or later
—upgrade to 7.4.3.8 or later

Is CVE-2024-25606 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 14.0.0
>= 7.3.0, < 7.3.10.u12
from 0, < 7.4.3.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25606
PATCHgithub.com/liferay/liferay-portal
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606