CVE-2024-25152

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.2 Liferay DXP versions 7.3 before service pack 3 Liferay DXP versions 7.2 before fix pack 17

Description A stored cross-site scripting (XSS) issue in the Message Board widget allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment. This could potentially affect a large number of devices worldwide, although the exact number is not specified.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.2, update to a version that includes the fix for this issue. For Liferay DXP versions 7.3 before service pack 3, apply service pack 3 to resolve the issue. For Liferay DXP versions 7.2 before fix pack 17, apply fix pack 17 to mitigate the risk. As a temporary workaround, consider restricting access to the Message Board widget until a patch is available.