CVE-2024-25601

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.2 Liferay DXP versions 7.3 before service pack 3 Liferay DXP versions 7.2 before fix pack 17 Liferay Portal older unsupported versions Liferay DXP older unsupported versions

Description A stored cross-site scripting (XSS) issue exists in the Expando module's geolocation custom fields. This allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the name text field of a geolocation custom field.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.2, update to a version that includes the fix for this issue. For Liferay DXP versions 7.3 before service pack 3, apply service pack 3 or later. For Liferay DXP versions 7.2 before fix pack 17, apply fix pack 17 or later. For older unsupported versions of Liferay Portal and Liferay DXP, consider upgrading to a supported version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Expando module's geolocation custom fields until a patch is available.