CVE-2024-25151 in Liferayinfo

Summary

by MITRE • 02/21/2024

The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/19/2025

The vulnerability identified as CVE-2024-25151 affects the Calendar module within Liferay Portal and Liferay DXP platforms, creating a significant security risk through improper input sanitization in email notification templates. This issue impacts versions ranging from Liferay Portal 7.2.0 through 7.4.2 and their corresponding older unsupported releases, alongside Liferay DXP 7.3 before service pack 3 and Liferay 7.2 before fix pack 15, making it a widespread concern across multiple platform versions. The flaw resides in the default notification email template where user-supplied data is not adequately escaped or sanitized before being rendered in email communications.

The technical implementation of this vulnerability stems from the Calendar module's failure to properly validate and sanitize user inputs when generating email notifications for calendar events. When users create calendar events or when system-generated notifications are sent, the module directly incorporates user-provided title information and user names into email templates without appropriate HTML escaping or script sanitization. This omission creates a direct pathway for attackers to inject malicious content that can be executed when recipients open these notification emails in their mail clients. The vulnerability specifically targets the title field of calendar events and user name fields, which are commonly used in notification systems and therefore represent high-value attack vectors.

The operational impact of this vulnerability manifests as potential cross-site scripting attacks that can compromise user sessions and execute unauthorized actions within the context of the victim's browser. Depending on the recipient's mail client capabilities, attackers can potentially perform content spoofing operations that make malicious content appear legitimate, or execute XSS payloads that can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. The remote authenticated nature of this vulnerability means that attackers do not need to be anonymous - they simply need valid user credentials to exploit the flaw, making it particularly dangerous in environments where user access is widespread.

Security professionals should consider this vulnerability in the context of CWE-79, which specifically addresses cross-site scripting flaws in software applications. The attack vector aligns with ATT&CK technique T1566.001 for initial access through spearphishing with a link, and T1059.001 for command and scripting interpreter usage. Organizations should immediately implement mitigations including applying the latest patches and service packs for their Liferay installations, implementing additional input validation at the application level, and configuring email security filters to detect and block suspicious content patterns. Additionally, administrators should consider implementing email template sanitization processes that automatically escape special characters in user inputs and establish monitoring protocols to detect unusual email traffic patterns that might indicate exploitation attempts.

Responsible

Liferay Inc.

Reservation

02/06/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00471

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!