CVE-2024-25602: 
Java vulnerability analysis and mitigation

CVE-2024-25602 is a stored cross-site scripting (XSS) vulnerability discovered in the Users Admin module's edit user page of Liferay Portal versions 7.2.0 through 7.4.2 and Liferay DXP versions. The vulnerability affects Liferay Portal 7.4.0 through 7.4.2, 7.3.0 through 7.3.7, 7.2.0 and 7.2.1, and older unsupported versions, as well as Liferay DXP 7.3 before service pack 3 and 7.2 before fix pack 17 (Liferay Advisory).

The vulnerability allows remote authenticated users to inject arbitrary web script or HTML through a crafted payload injected into an organization's "Name" text field. The severity of this vulnerability has been rated with a CVSS v3.1 base score of 9.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) by Liferay Inc., while NIST has assigned it a score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability can lead to the execution of arbitrary web scripts or HTML in the context of other users' browsers who view the affected organization name. Given the CVSS scoring, the potential impact includes high confidentiality, integrity, and availability risks in the affected systems (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.4, Liferay DXP 7.3 service pack 3, and Liferay DXP 7.2 fix pack 17. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).