9.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-25145

GHSA ID

GHSA-9vgq-w5pv-v77q

EPSS Score

0.36521%

CWE

CWE-79

Published

2/7/2024

Updated

2/7/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-25145

CVE-2024-25145: Liferay Portal stored cross-site scripting (XSS) vulnerability

Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-25145

CVE-2024-25145:

9.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-25145

GHSA ID

GHSA-9vgq-w5pv-v77q

EPSS Score

0.36521%

CWE

CWE-79

Published

2/7/2024

Updated

2/7/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	< 7.4.3.12	7.4.3.12
com.liferay.portal:release.dxp.bom	maven	>= 7.4.0, < 7.4.3.13u8	7.4.3.13u8
com.liferay.portal:release.dxp.bom	maven	>= 7.3.0, < 7.3.10.u4	7.3.10.u4
com.liferay.portal:release.dxp.bom	maven	< 7.2.10.fp17	7.2.10.fp17

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests when search result highlighting is disabled, suggesting the XSS protection (normally provided by highlighting sanitization) is missing in this code path. While no specific code was provided, Liferay's architecture indicates search result rendering occurs in JSPs handling the Search Results portlet. The medium confidence reflects the lack of direct code evidence, but aligns with: 1) The attack vector requiring disabled highlighting 2) Liferay's known use of JSPs for portlet rendering 3) Common XSS patterns where conditional sanitization (enabled only for highlighted paths) creates vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

9.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-25145: Liferay Portal stored cross-site scripting (XSS) vulnerability

CVE-2024-25145:

9.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

9.7

9.7

Basic Information

Basic Information

CVE-2024-25145: Liferay Portal stored cross-site scripting (XSS) vulnerability

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-25145: Liferay Portal stored cross-site scripting (XSS) vulnerability

CVE-2024-25145:

9.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

9.7

9.7

Basic Information

Basic Information

CVE-2024-25145: Liferay Portal stored cross-site scripting (XSS) vulnerability

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI