Critical severityNVD Advisory· Published Feb 7, 2024· Updated Aug 22, 2024
CVE-2024-25145
CVE-2024-25145
Description
Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | < 7.4.3.12 | 7.4.3.12 |
com.liferay.portal:release.dxp.bomMaven | >= 7.4.0, < 7.4.3.13u8 | 7.4.3.13u8 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.u4 | 7.3.10.u4 |
com.liferay.portal:release.dxp.bomMaven | < 7.2.10.fp17 | 7.2.10.fp17 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-9vgq-w5pv-v77qghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-25145ghsaADVISORY
News mentions
0No linked articles in our index yet.