CVE-2024-25147

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.1 Liferay DXP versions 7.3 before service pack 3 Liferay DXP versions 7.2 before fix pack 15

Description A cross-site scripting (XSS) issue exists in the HtmlUtil.escapeJsLink function, allowing remote attackers to inject arbitrary web script or HTML via crafted javascript: style links. This can be exploited by injecting malicious code into the javascript: style links, potentially affecting the security of the application.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.1, update to a version that includes the fix for the HtmlUtil.escapeJsLink function. For Liferay DXP versions 7.3 before service pack 3, apply service pack 3 to resolve the issue. For Liferay DXP versions 7.2 before fix pack 15, apply fix pack 15 to mitigate the vulnerability. As a temporary workaround, consider restricting access to the HtmlUtil.escapeJsLink function until a patch is available.