CVE-2024-25152 in Liferayinfo

Summary

by MITRE • 02/21/2024

Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/19/2025

This stored cross-site scripting vulnerability exists within the Message Board widget functionality of Liferay Portal and Liferay DXP platforms, affecting versions ranging from 7.2.0 through 7.4.2 and their corresponding unsupported releases. The flaw specifically manifests when authenticated users upload attachments to message board posts, where the filename parameter is not properly sanitized before being rendered in the user interface. This represents a classic stored XSS attack vector where malicious input persists in the application's database and executes whenever the affected content is displayed to other users. The vulnerability falls under CWE-79 which classifies improper neutralization of input during web page generation, specifically targeting the failure to sanitize user-provided data before incorporating it into dynamic web content.

The technical exploitation occurs when an authenticated user uploads a file with a malicious filename containing script code, typically leveraging javascript payloads that get executed in the context of other users' browsers when they view the message board post containing the attachment. This vulnerability is particularly dangerous because it requires minimal privileges - only authenticated access to the platform - yet allows attackers to execute arbitrary scripts in the browsers of other users who view the malicious content. The attack chain involves uploading a file with malicious filename metadata, storing this data in the platform's database, and then triggering execution when other users access the message board display where the attachment is referenced. This aligns with ATT&CK technique T1566.001 which covers the use of malicious attachments in phishing campaigns.

The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to steal session cookies, perform actions on behalf of users, redirect victims to malicious sites, or extract sensitive data from the authenticated user's browser context. The stored nature of the vulnerability means that the malicious payload remains persistent in the system until manually removed, potentially affecting multiple users over extended periods. The attack surface is significant given that message board functionality is commonly used in enterprise environments for collaboration and communication, making this vulnerability particularly concerning for organizations that rely heavily on these platforms for internal communications. Organizations may face reputational damage, data breaches, and compliance violations if attackers leverage this vulnerability to gain unauthorized access to sensitive information or disrupt business operations. The vulnerability's persistence makes it especially dangerous for environments where message board content is frequently accessed by multiple users throughout the day.

Mitigation strategies should prioritize immediate patching of affected versions to the latest available service packs and fix packs, particularly for Liferay DXP 7.2 and 7.3 versions that have received security updates. Organizations should implement input validation and sanitization measures at the application level, ensuring that all user-provided filenames are properly encoded before being stored or displayed. Network-based mitigations including web application firewalls can provide additional layers of protection by filtering malicious payloads in transit. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the platform. Access controls and monitoring should be enhanced to detect unusual file upload patterns or attempts to exploit XSS vulnerabilities. The principle of least privilege should be enforced to limit the impact of potential exploitation, and user education programs should be implemented to raise awareness about the risks of uploading suspicious attachments. Additionally, organizations should consider implementing content security policies and regular security assessments to prevent similar vulnerabilities from emerging in other parts of their web applications.

Responsible

Liferay Inc.

Reservation

02/06/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00558

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!