CVE-2024-25610: 
Java vulnerability analysis and mitigation

CVE-2024-25610 is a cross-site scripting (XSS) vulnerability discovered in Liferay Portal and Liferay DXP. The vulnerability affects Liferay Portal versions 7.2.0 through 7.4.3.12 and older unsupported versions, as well as Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions. The vulnerability was disclosed on February 20, 2024 (Liferay Advisory).

The vulnerability stems from the default configuration that does not properly sanitize blog entries containing JavaScript code. This insecure default configuration allows authenticated users to perform stored XSS attacks by injecting arbitrary web script or HTML through a blog entry's content text field. The vulnerability has been assigned a CVSS v3.1 base score of 9.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) by Liferay Inc., while NIST has assessed it with a score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD).

The vulnerability allows authenticated attackers to inject malicious scripts into blog entries, which can then be executed when other users view the affected content. This could lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser session (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.13, Liferay DXP 7.4 update 9, Liferay DXP 7.3 update 4, and Liferay DXP 7.2 fix pack 19. As a workaround, administrators can navigate to System Settings > Security Tools > AntiSamy Sanitizer and remove com.liferay.blogs.model.BlogsEntry from the Whitelist (Liferay Advisory).