CVE-2024-25151 MEDIUM

CVE-2024-25151

Vendor Liferay
Product Portal
Weakness CWE-79 · XSS
Published February 21, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user's name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver's mail client.

Key dates

02Disclosure timeline

February 21, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-3672 BA Book Everything <= 1.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-5819 Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.45 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes CVE-2023-26001 WordPress Next Event Calendar <= 1.2 - Cross Site Scripting (XSS) Vulnerability CVE-2026-27627 Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS CVE-2025-10367 MiczFlor RPi-Jukebox-RFID cardEdit.php cross site scripting