CVE-2024-25151

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.2 Liferay DXP 7.3 before service pack 3 Liferay DXP 7.2 before fix pack 15

Description The Calendar module in the affected software does not escape user-supplied data in the default notification email template. This allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name, potentially leading to content spoofing or cross-site scripting (XSS) attacks, depending on the capability of the receiver's mail client.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.2, update to a version that includes the fix for this issue. For Liferay DXP 7.3, apply service pack 3 or later. For Liferay DXP 7.2, apply fix pack 15 or later. As a temporary workaround, consider disabling the Calendar module until a patch is available. Restrict access to the default notification email template to minimize the risk of exploitation. Avoid using the title of a calendar event or the user's name in the affected email template until the issue is resolved.