WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay Portal CVE-2024-25148 Vulnerability (CVE-2024-25148)

Description

In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.

Remediation

References

Related Vulnerabilities

WordPress Plugin AdPlugg WordPress Ad Cross-Site Scripting (1.1.33)

MediaWiki Improper Privilege Management Vulnerability (CVE-2020-10534)

Oracle Database Server CVE-2021-2234 Vulnerability (CVE-2021-2234)

phpList Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-36399)

WordPress 4.4.x Multiple Vulnerabilities (4.4 - 4.4.9)

Severity

High

Classification

CVE-2024-25148 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Tags

Missing Update Known Vulnerabilities