QID 731179
Date Published: 2024-02-22
QID 731179: Liferay Portal Multiple Vulnerabilities (CVE-2024-25603,CVE-2024-25604,CVE-2024-25605)
Liferay Portal is an open-source enterprise web platform for building business solutions and collaborative applications.
CVE-2024-25603: Stored cross-site scripting (XSS) vulnerability in the Dynamic Data Mapping module's DDMForm in Liferay Portal allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter.
CVE-2024-25604: Liferay Portal does not properly check user permissions, which allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.
CVE-2024-25605: The Journal module in Liferay Portal and Liferay DXP grants guest users view permission to web content templates by default, which allows remote attackers to view any template via the UI or API.
Affected Versions:
Liferay Portal from version 7.4.0 to 7.4.3.4
Liferay Portal from version 7.3.0 to 7.3.7.
Liferay Portal 7.2.0 and 7.2.1.
Liferay Portal, older unsupported versions.
QID Detection Logic (Unauthenticated): This QID checks for vulnerable version of Liferay Portal in response banner.
Successful exploitation of this vulnerability allows remote authenticated users with the VIEW user permission to edit their own permission via the User and Organizations section of the Control Panel.
- Liferay Portal(CVE-2024-25603) -
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-25603 - Liferay Portal(CVE-2024-25604) -
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-25604
- Liferay Portal(CVE-2024-25605) -
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-25605
CVEs related to QID 731179
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Liferay Portal |
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/ |