8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-25148

GHSA ID

GHSA-qwj8-qgpr-8crm

EPSS Score

0.58117%

CWE

CWE-200

Published

2/8/2024

Updated

10/2/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-25148

CVE-2024-25148: Liferay Portal vulnerable to user impersonation

In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the doAsUserId URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-25148

GHSA ID

GHSA-qwj8-qgpr-8crm

EPSS Score

0.58117%

CWE

CWE-200

Published

2/8/2024

Updated

10/2/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.2.0, < 7.4.2	7.4.2
com.liferay.portal:release.dxp.bom	maven	>= 7.2.0, < 7.2.10.fp15	7.2.10.fp15
com.liferay.portal:release.dxp.bom	maven	>= 7.3.0, < 7.3.10.u4	7.3.10.u4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of the 'doAsUserId' parameter during URL generation in content creation workflows. The WYSIWYG editor's link insertion mechanism would logically reuse the current request context (including sensitive parameters) unless explicitly sanitized. This matches the CWE-201 pattern (inserting sensitive data into sent content) and aligns with Liferay's patch focus on parameter filtering in editor components. While exact function names aren't disclosed, the architectural pattern implies vulnerable URL generation logic in editor utilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Li**r*y Port*l *.*.* t*rou** *.*.*, *n* ol**r unsupport** v*rsions, *n* Li**r*y *XP *.* ***or* s*rvi** p**k *, *.* ***or* *ix p**k **, *n* ol**r unsupport** v*rsions t** `*o*sUs*rI*` URL p*r*m*t*r m*y **t l**k** w**n *r**tin* link** *ont*nt usin*

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* t** '*o*sUs*rI*' p*r*m*t*r *urin* URL **n*r*tion in *ont*nt *r**tion work*lows. T** WYSIWY* **itor's link ins*rtion m****nism woul* lo*i**lly r*us* t** *urr*nt r*qu*st *ont*xt (in*lu*in* s*nsitiv* p*r

8.1

Basic Information

Concerned about an active attack path?

CVE-2024-25148: Liferay Portal vulnerable to user impersonation

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI