CVE-2024-25145

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-25145

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25145.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-25145

Aliases

GHSA-9vgq-w5pv-v77q

Withdrawn

2024-05-18T03:45:38.107265Z

Published

2024-02-07T15:15:09Z

Modified

2024-05-13T20:10:53Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25145

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type: GIT
Repo: https://github.com/liferay/liferay-portal
Events: Introduced

ec84d86679146b84af526f96471a730c340dda78

Fixed

bd7b145f3b6935998db45e3a704c1da668d56361