CVE-2024-25144 – com.liferay.portal:release.dxp.bom

Package

Manager: maven
Name: com.liferay.portal:release.dxp.bom
Vulnerable Version: >=7.2.0 <7.2.10.fp19 || >=7.3.0 <7.3.10.u6 || >=7.4.0 <7.4.13.u27

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L

EPSS: 0.00318 pctl0.54217

Details

Liferay Portal denial-of-service vulnerability The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

Metadata

Created: 2024-02-08T06:30:23Z
Modified: 2024-10-02T18:38:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-w275-m8cr-hf2v/GHSA-w275-m8cr-hf2v.json
CWE IDs: ["CWE-834", "CWE-835"]
Alternative ID: GHSA-w275-m8cr-hf2v
Finding: F138
Auto approve: 1