CVE-2024-25610

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.12 Liferay DXP 7.4 before update 9 Liferay DXP 7.3 before update 4 Liferay DXP 7.2 before fix pack 19

Description The default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.12, update to a version that includes the fix for this issue. For Liferay DXP 7.4 before update 9, apply update 9 to resolve the issue. For Liferay DXP 7.3 before update 4, apply update 4 to resolve the issue. For Liferay DXP 7.2 before fix pack 19, apply fix pack 19 to resolve the issue. As a temporary workaround, consider disabling the ability to inject JavaScript into blog entries until a patch is available.