CVE-2024-25145: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in the Portal Search module's Search Result app affecting Liferay Portal versions 7.2.0 through 7.4.3.11 and Liferay DXP versions (7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17), as well as older unsupported versions. The vulnerability was disclosed on February 6, 2024, and assigned identifier CVE-2024-25145 (Liferay Advisory).

The vulnerability exists in the Portal Search module's Search Result app when highlighting is disabled. It allows remote authenticated users to inject arbitrary web script or HTML into the search results by adding searchable content such as blogs, message board messages, or web content articles. The vulnerability has been assigned a CVSS v3.1 base score of 9.6 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) by Liferay Inc., while NIST assigned a score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows attackers to execute arbitrary web scripts or inject HTML content into the search results, potentially leading to the compromise of sensitive information, session hijacking, or other malicious actions when users interact with the compromised search results (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.12, Liferay DXP 7.4 update 8, Liferay DXP 7.3 update 4, and Liferay DXP 7.2 fix pack 17. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).