LiferayVULNRICHMENT:CVE-2024-25606CVE-2024-25606
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.
CNA Affected
[
{
"vendor": "Liferay",
"product": "Portal",
"versions": [
{
"status": "affected",
"version": "7.2.0",
"versionType": "maven",
"lessThanOrEqual": "7.4.3.7"
}
],
"defaultStatus": "unknown"
},
{
"vendor": "Liferay",
"product": "DXP",
"versions": [
{
"status": "affected",
"version": "7.4.13",
"versionType": "maven",
"lessThanOrEqual": "7.4.13.u3"
},
{
"status": "affected",
"version": "7.3.10",
"versionType": "maven",
"lessThanOrEqual": "7.3.10.u11"
},
{
"status": "affected",
"version": "7.2.10",
"versionType": "maven",
"lessThanOrEqual": "7.2.10-dxp-19"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial