CVE-2024-25610: Liferay Portal has a Stored XSS with Blog entries (Insecure defaults)

February 20, 2024 (updated December 11, 2024)

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

References

github.com/advisories/GHSA-vvpf-53qx-cxhh
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610
nvd.nist.gov/vuln/detail/CVE-2024-25610

Detect and mitigate CVE-2024-25610 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →