CVE-2024-25144: 
Java vulnerability analysis and mitigation

CVE-2024-25144 affects the IFrame widget in Liferay Portal versions 7.2.0 through 7.4.3.26 and Liferay DXP versions (7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19), and older unsupported versions. The vulnerability was discovered and disclosed on February 6, 2024, and involves a security flaw where the IFrame widget does not properly check the URL of the IFrame (Liferay Advisory).

The vulnerability stems from the IFrame widget's failure to implement proper URL validation checks. This security weakness is classified as CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop') according to the vendor, though NIST categorizes it as CWE-834 (Excessive Iteration). The vulnerability has received a CVSS v3.1 base score of 6.5 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, while Liferay assigned it a lower score of 4.1 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L (NVD).

The vulnerability can result in a denial-of-service (DoS) condition when exploited. The attack specifically involves using a self-referencing IFrame, which can impact the availability of the affected system (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal 7.4.3.27, Liferay DXP 7.2 fix pack 19, Liferay DXP 7.3 update 6, or Liferay DXP 7.4 update 27, depending on their current version (Liferay Advisory).