CVE-2024-25147: 
Java vulnerability analysis and mitigation

CVE-2024-25147 is a Cross-site Scripting (XSS) vulnerability discovered in HtmlUtil.escapeJsLink component affecting Liferay Portal versions 7.2.0 through 7.4.1 and older unsupported versions, as well as Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions. The vulnerability was disclosed on February 20, 2024 (NVD, Liferay Advisory).

The vulnerability exists in the HtmlUtil.escapeJsLink component and allows remote attackers to inject arbitrary web script or HTML through crafted javascript: style links. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 9.6 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) by Liferay Inc., while NIST assessed it with a score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If exploited, this vulnerability could allow attackers to execute arbitrary web scripts or HTML in the context of the affected application, potentially leading to theft of sensitive information, session hijacking, or other malicious actions (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal 7.4.2, Liferay DXP 7.3 service pack 3, or Liferay DXP 7.2 fix pack 15 (Liferay Advisory).