Beware of Script Injection Vulnerability in Liferay Portal and DXP

CVECVE-2024-25147
CVSScvssV3_1: 9.6
SourceCVE-2024-25147

Liferay Portal and DXP, which are open source web content management platforms, are affected by a cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when malicious scripts are injected into otherwise trusted websites. Attackers can exploit XSS flaws to steal user cookies and session tokens, hijack user accounts, or redirect users to phishing pages.

The vulnerability in this case is due to insufficient validation of javascript: style links by the HtmlUtil.escapeJsLink method. A remote attacker could craft a malicious link containing JavaScript code and trick a user into clicking on the link. This would allow the attacker’s JavaScript code to run in the user’s browser within the security context of the affected website. The attacker could then potentially steal sensitive data like authentication tokens or account credentials.

If you are a user of Liferay Portal or DXP, you should make sure to apply the latest updates and security patches provided by Liferay to fix this vulnerability. You should also be cautious about clicking on any unsolicited links received over email, messaging apps or social media. Using an adblocker and anti-malware software can also help prevent malicious scripts from being loaded. Website administrators should also sanitize any untrusted user inputs to their sites to prevent XSS attacks.

References