CVE-2024-25143 MEDIUM

CVE-2024-25143

Vendor Liferay
Product DXP
Weakness CWE-770 · Uncontrolled resource consumption
Published February 7, 2024
Last update October 2, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.

Key dates

02Disclosure timeline

February 7, 2024 CVE published
October 2, 2024 Record updated