{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25606", "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "state": "PUBLISHED", "assignerShortName": "Liferay", "dateReserved": "2024-02-08T13:57:11.425Z", "datePublished": "2024-02-20T09:03:19.221Z", "dateUpdated": "2024-08-01T23:44:09.795Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Portal", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.4.3.7", "status": "affected", "version": "7.2.0", "versionType": "maven"}]}, {"defaultStatus": "unknown", "product": "DXP", "vendor": "Liferay", "versions": [{"lessThanOrEqual": "7.4.13.u3", "status": "affected", "version": "7.4.13", "versionType": "maven"}, {"lessThanOrEqual": "7.3.10.u11", "status": "affected", "version": "7.3.10", "versionType": "maven"}, {"lessThanOrEqual": "7.2.10-dxp-19", "status": "affected", "version": "7.2.10", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method."}], "value": "XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "shortName": "Liferay", "dateUpdated": "2024-02-20T09:03:19.221Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25606", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T13:32:40.505546Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:20:56.428Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:44:09.795Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:44:09.795Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25606", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T13:32:40.505546Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:37.331Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Liferay", "product": "Portal", "versions": [{"status": "affected", "version": "7.2.0", "versionType": "maven", "lessThanOrEqual": "7.4.3.7"}], "defaultStatus": "unknown"}, {"vendor": "Liferay", "product": "DXP", "versions": [{"status": "affected", "version": "7.4.13", "versionType": "maven", "lessThanOrEqual": "7.4.13.u3"}, {"status": "affected", "version": "7.3.10", "versionType": "maven", "lessThanOrEqual": "7.3.10.u11"}, {"status": "affected", "version": "7.2.10", "versionType": "maven", "lessThanOrEqual": "7.2.10-dxp-19"}], "defaultStatus": "unknown"}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.", "supportingMedia": [{"type": "text/html", "value": "XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "shortName": "Liferay", "dateUpdated": "2024-02-20T09:03:19.221Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25606", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:44:09.795Z", "dateReserved": "2024-02-08T13:57:11.425Z", "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3", "datePublished": "2024-02-20T09:03:19.221Z", "assignerShortName": "Liferay"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method."}, {"lang": "es", "value": "La vulnerabilidad XXE en Liferay Portal 7.2.0 a 7.4.3.7 y versiones anteriores no compatibles, y Liferay DXP 7.4 antes de la actualizaci\u00f3n 4, 7.3 antes de la actualizaci\u00f3n 12, 7.2 antes del fixpack 20 y versiones anteriores no compatibles permite a atacantes con permiso implementar widgets/portlets /extensiones para obtener informaci\u00f3n confidencial o consumir recursos del sistema a trav\u00e9s del m\u00e9todo Java2WsddTask._format."}], "id": "CVE-2024-25606", "lastModified": "2024-02-20T19:50:53.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security@liferay.com", "type": "Secondary"}]}, "published": "2024-02-20T09:15:09.533", "references": [{"source": "security@liferay.com", "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606"}], "sourceIdentifier": "security@liferay.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security@liferay.com", "type": "Secondary"}]}

{}