CVE-2024-25603: 
Java vulnerability analysis and mitigation

CVE-2024-25603 is a stored cross-site scripting (XSS) vulnerability discovered in the Dynamic Data Mapping module's DDMForm component of Liferay Portal and Liferay DXP. The vulnerability affects Liferay Portal versions 7.2.0 through 7.4.3.4 and Liferay DXP versions including 7.4.13, 7.3 before update 4, and 7.2 before fix pack 17, along with older unsupported versions. The vulnerability was disclosed on February 20, 2024 (Liferay Advisory).

The vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the instanceId parameter in the Dynamic Data Mapping module's DDMForm. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: Liferay Inc. rated it as Critical with a CVSS score of 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), while NVD assessed it as Medium with a score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability could allow authenticated attackers to execute arbitrary web scripts or inject HTML code through the instanceId parameter. This could potentially lead to the compromise of sensitive information, session hijacking, or other malicious actions within the context of the affected Liferay applications (Liferay Advisory).

The vulnerability has been fixed in the following versions: Liferay Portal 7.4.3.5, Liferay DXP 7.4 update 1, Liferay DXP 7.3 update 4, and Liferay DXP 7.2 fix pack 17. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).