High severityNVD Advisory· Published Feb 20, 2024· Updated Aug 1, 2024

CVE-2024-25606

Description

XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:com.liferay.util.javaMaven	< 14.0.0	14.0.0
com.liferay.portal:release.portal.bomMaven	< 7.4.3.8	7.4.3.8
com.liferay.portal:release.dxp.bomMaven	>= 7.3.0, < 7.3.10.u12	7.3.10.u12
com.liferay.portal:release.dxp.bomMaven	>= 7.4.0, < 7.4.13.u4	7.4.13.u4
com.liferay.portal:release.dxp.bomMaven	< 7.2.10.fp20	7.2.10.fp20

Affected products

Liferay/Portalv5
Range: 7.2.0
Liferay/DXPv5
Range: 7.4.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-869h-qhfx-w939ghsaADVISORY
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606ghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2024-25606ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000