CVE-2024-25147
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Liferay's HtmlUtil.escapeJsLink function allows attackers to inject malicious JavaScript or HTML through crafted javascript: links. Attackers can execute arbitrary code in users' browsers, potentially stealing session cookies, redirecting users, or performing actions on their behalf. Affected systems include Liferay Portal 7.2.0 through 7.4.1 and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data theft, session hijacking, and potential privilege escalation leading to full system compromise.
Likely Case
Session hijacking, credential theft, defacement, and client-side data exfiltration.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity and can be exploited by unauthenticated attackers if they can deliver malicious links to users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.2+, Liferay DXP 7.3 service pack 3+, 7.2 fix pack 15+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Liferay's customer portal. 2. Apply the patch following Liferay's patch installation guide. 3. Restart the Liferay server. 4. Verify the fix by testing javascript: link handling.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and prevent inline JavaScript execution.
Add to web server configuration: Content-Security-Policy: script-src 'self'
Input Validation Filter
allDeploy a web application firewall or custom filter to block javascript: links in user input.
Configure WAF rules to block requests containing javascript: in parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent inline script execution.
- Deploy a web application firewall (WAF) with XSS protection rules enabled.
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject javascript: links in user input fields and checking if they execute.Check Version:
Check Liferay version in Control Panel → Configuration → Server Administration → System InformationVerify Fix Applied:
After patching, test javascript: link injection attempts to confirm they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution in user sessions
- Requests containing javascript: in parameters
Network Indicators:
- Unexpected outbound connections from user browsers to attacker-controlled domains
SIEM Query:
web_access_logs WHERE url CONTAINS 'javascript:' OR parameters CONTAINS 'javascript:'