9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-25152

CVE-2024-25152: Liferay Portal Message Board widget and Liferay DXP vulnerable to stored Cross-site Scripting

Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-25152

CVE-2024-25152:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	<= 7.4.2
com.liferay.portal:release.dxp.bom	maven	>= 7.3.0, < 7.3.10.u4	7.3.10.u4
com.liferay.portal:release.dxp.bom	maven	>= 7.2.0, < 7.2.10.fp17	7.2.10.fp17

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized filename rendering in the Message Board attachment interface. While exact code isn't available, Liferay's architecture typically handles attachments through JSP views. The description explicitly cites filename-based XSS, indicating the rendering path fails to use proper escaping mechanisms like HtmlUtil.escape() when outputting filenames. This matches common XSS patterns in Java web applications where user-controlled input is directly embedded in responses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-25152: Liferay Portal Message Board widget and Liferay DXP vulnerable to stored Cross-site Scripting

CVE-2024-25152:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.1

9.1

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-25152: Liferay Portal Message Board widget and Liferay DXP vulnerable to stored Cross-site Scripting

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI