PT-2024-21035 · Liferay · Liferay Portal+1

Published

2024-02-20

Updated

2024-12-11

CVE-2024-25606

CVSS v3.1

8.7

High

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.7 Liferay DXP 7.4 before update 4 Liferay DXP 7.3 before update 12 Liferay DXP 7.2 before fix pack 20

Description The issue allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask. format method.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.7, update to a version outside of this range. For Liferay DXP 7.4 before update 4, apply update 4. For Liferay DXP 7.3 before update 12, apply update 12. For Liferay DXP 7.2 before fix pack 20, apply fix pack 20. As a temporary workaround, consider restricting access to the Java2WsddTask. format method until a patch is available.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2024-25606

GHSA-869H-QHFX-W939

Affected Products

Liferay Dxp

Liferay Portal

PT-2024-21035 · Liferay · Liferay Portal+1

CVE-2024-25606

Weakness Enumeration

Related Identifiers

Affected Products

References · 9