CVE-2024-25603

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.4 Liferay DXP versions 7.4.13, 7.3 before update 4, 7.2 before fix pack 17

Description A stored cross-site scripting (XSS) issue exists in the Dynamic Data Mapping module's DDMForm, allowing remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter. This enables attackers to execute malicious code on the victim's browser.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.4, update to a version that includes the fix for this issue. For Liferay DXP versions 7.4.13, 7.3 before update 4, 7.2 before fix pack 17, apply the respective updates or fix packs to resolve the issue. As a temporary workaround, consider restricting access to the Dynamic Data Mapping module's DDMForm to minimize the risk of exploitation. Avoid using the instanceId parameter in the affected module until the issue is resolved.