PT-2024-20777 · Liferay · Liferay Portal+1
Published
2024-02-08
·
Updated
2024-10-02
·
CVE-2024-25144
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.2.0 through 7.4.3.26
Liferay DXP 7.4 before update 27
Liferay DXP 7.3 before update 6
Liferay DXP 7.2 before fix pack 19
Description
The issue is related to the IFrame widget, which does not check the URL of the IFrame. This allows remote authenticated users to cause a denial-of-service (DoS) via a self-referencing IFrame.
Recommendations
For Liferay Portal versions 7.2.0 through 7.4.3.26, update to a version that includes the fix for this issue.
For Liferay DXP 7.4 before update 27, apply update 27 to resolve the issue.
For Liferay DXP 7.3 before update 6, apply update 6 to resolve the issue.
For Liferay DXP 7.2 before fix pack 19, apply fix pack 19 to resolve the issue.
As a temporary workaround, consider disabling the IFrame widget until a patch is available.
Fix
DoS
Infinite Loop
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal