Lucene search

K
cvelistLiferayCVELIST:CVE-2024-25144
HistoryFeb 08, 2024 - 3:25 a.m.

CVE-2024-25144

2024-02-0803:25:31
CWE-834
Liferay
www.cve.org
cve-2024-25144
iframe widget
liferay portal
denial-of-service
self referencing

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.4%

The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "Portal",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.4.3.26",
        "status": "affected",
        "version": "7.2.0",
        "versionType": "maven"
      }
    ]
  },
  {
    "defaultStatus": "unknown",
    "product": "DXP",
    "vendor": "Liferay",
    "versions": [
      {
        "lessThanOrEqual": "7.4.13.u26",
        "status": "affected",
        "version": "7.4.13",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "7.3.10.u5",
        "status": "affected",
        "version": "7.3.10",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "7.2.10-dxp-18",
        "status": "affected",
        "version": "7.2.10",
        "versionType": "maven"
      }
    ]
  }
]

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.4%

Related for CVELIST:CVE-2024-25144