CVE-2024-25152: 
Java vulnerability analysis and mitigation

CVE-2024-25152 is a stored cross-site scripting (XSS) vulnerability discovered in the Message Board widget of Liferay Portal and Liferay DXP. The vulnerability affects Liferay Portal versions 7.2.0 through 7.4.2 and older unsupported versions, as well as Liferay DXP 7.3 before service pack 3 and 7.2 before fix pack 17. The vulnerability was published on February 20, 2024 (CVE Details, NVD).

The vulnerability allows remote authenticated users to inject arbitrary web script or HTML through the filename of an attachment in the Message Board widget. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as MEDIUM (5.4) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Liferay Inc. rates it as CRITICAL (9.0) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD, Liferay Advisory).

The vulnerability can potentially allow attackers to execute arbitrary web scripts or HTML in the context of other users' browsers who view the malicious attachment filename. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions (NVD).

The vulnerability has been fixed in Liferay Portal version 7.4.3.4, Liferay DXP 7.3 service pack 3, and Liferay DXP 7.2 fix pack 17. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Liferay Advisory).