1. Home
  2. Vulnerabilities
  3. CVE-2024-25608
6.1
MEDIUM CVSS 3.1
CVE-2024-25608
Liferay Portal XSS/redirection Unlimited Write-What-You-Get
Description

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.

INFO

Published Date :

Feb. 20, 2024, 10:15 a.m.

Last Modified :

Dec. 11, 2024, 5:56 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Affected Products

The following products are affected by CVE-2024-25608 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Liferay liferay_portal
2 Liferay digital_experience_platform
3 Liferay dxp
: Total Affected Vendor : 1 | Products : 3
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM [email protected]
CVSS 3.1 MEDIUM [email protected]
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-25608.

URL Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608 Vendor Advisory
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608 Vendor Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-25608 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-25608 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-25608 vulnerability anywhere in the article.

  • Daily CyberSecurity
Phishing Wave Hits U.S. Energy Giants: Chevron, ConocoPhillips Targeted

The U.S. energy industry has become a prime target for large-scale phishing operations in 2025, according to new research from Hunt Intelligence. The report reveals a sharp increase in look-alike doma ... Read more

Published Date: Sep 15, 2025 (23 hours, 50 minutes ago)
  • Daily CyberSecurity
PyPI Warns of Sophisticated Phishing Campaign Targeting Python Developers

The Python Package Index (PyPI), the central repository for Python developers around the world, has issued a security warning regarding an ongoing phishing attack aimed at tricking project maintainers ... Read more

Published Date: Jul 29, 2025 (1 month, 2 weeks ago)
  • Daily CyberSecurity
CoGUI Phishing Kit: Advanced Evasion Tactics Target Japan

Threat actors using a sophisticated phishing kit called CoGUI have launched a torrent of Japanese-language credential theft campaigns, flooding inboxes with millions of phishing emails each month, acc ... Read more

Published Date: May 07, 2025 (4 months, 1 week ago)
  • europa.eu
Cyber Brief 25-02 - January 2025

Cyber Brief (January 2025)February 3, 2025 - Version: 1TLP:CLEARExecutive summaryWe analysed 262 open source reports for this Cyber Brief1.Policy, cooperation, and law enforcement. Lithuania inaugurat ... Read more

Published Date: Feb 03, 2025 (7 months, 1 week ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2024-25608 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Dec. 11, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    Added CWE NIST CWE-601
    Added CPE Configuration OR *cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 *cpe:2.3:a:liferay:digital_experience_platform:7.2:-:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_1:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_10:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_11:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_12:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_13:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_14:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_15:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_16:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_17:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_18:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_2:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_3:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_4:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_5:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_6:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_7:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_8:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:fix_pack_9:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_1:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_2:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_3:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_4:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_5:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.2:service_pack_6:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:* *cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:* *cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* versions up to (excluding) 7.4.3.19
    Changed Reference Type https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608 No Types Assigned https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608 Vendor Advisory
    Changed Reference Type https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608 No Types Assigned https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608 Vendor Advisory
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by [email protected]

    Feb. 20, 2024

    Action Type Old Value New Value
    Added Description HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.
    Added Reference Liferay Inc. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608 [No types assigned]
    Added CWE Liferay Inc. CWE-601
    Added CVSS V3.1 Liferay Inc. AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 6.1
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact