CVE-2024-25145 Vulnerability Details

  /     /     /  

CVE-2024-25145 Metadata Quick Info

CVE Published: 07/02/2024 | CVE Updated: 22/08/2024 | CVE Year: 2024
Source: Liferay | Vendor: Liferay | Product: Portal
Status : PUBLISHED

CVE-2024-25145 Description

Stored cross-site scripting (XSS) vulnerability in the Portal Search module\'s Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app\'s search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.

Metrics

CVSS Version: 3.1 | Base Score: 9.6 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-79
CWE Name: CWE-79 Improper Neutralization of Input During Web Page Generation ( Cross-site Scripting )
Source: Liferay

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).

Last added CVEs

▸ CVE-2024-9999 ◂
Discovered: 12/11/2024
Status: PUBLISHED
▸ CVE-2024-9997 ◂
Discovered: 29/10/2024
Status: PUBLISHED
▸ CVE-2024-9996 ◂
Discovered: 29/10/2024
Status: PUBLISHED



Tags:
CVE-2024-25145 Vulnerability Details