CVE-2024-25610

{"id": "CVE-2024-25610", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@liferay.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2024-02-20T13:15:08.493", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610", "source": "security@liferay.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@liferay.com", "description": [{"lang": "en", "value": "CWE-1188"}]}], "descriptions": [{"lang": "en", "value": "In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry\u2019s content text field."}, {"lang": "es", "value": "En Liferay Portal 7.2.0 a 7.4.3.12 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 9, 7.3 antes de la actualizaci\u00f3n 4, 7.2 antes del fixpack 19 y versiones anteriores no compatibles, la configuraci\u00f3n predeterminada no sanitiza las entradas del blog de JavaScript , que permite a usuarios remotos autenticados inyectar script web o HTML (XSS) arbitrarios mediante un payload manipulado que se inyecto en el campo de texto de contenido de una entrada de blog."}], "lastModified": "2024-02-20T19:50:53.960", "sourceIdentifier": "security@liferay.com"}