CVE-2024-25144

The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

Published: Feb 8, 2024
Updated: May 4, 2025
CVE: CVE-2024-25144
GHSA: GHSA-w275-m8cr-hf2v
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-834

Affected Software
References

Software	From	Fixed in
com.liferay.portal / release.portal.bom	7.2.0	7.4.3.27
com.liferay.portal / release.dxp.bom	7.2.0	7.2.10.fp19
com.liferay.portal / release.dxp.bom	7.3.0	7.3.10.u6
com.liferay.portal / release.dxp.bom	7.4.0	7.4.13.u27
liferay / dxp	7.3	7.3.x
liferay / dxp	7.4-update_1	7.4-update_1.x
liferay / dxp	7.4-update_2	7.4-update_2.x
liferay / dxp	7.4-update_3	7.4-update_3.x
liferay / dxp	7.4-update_4	7.4-update_4.x
liferay / dxp	7.4-update_5	7.4-update_5.x
liferay / dxp	7.4-update_6	7.4-update_6.x
liferay / dxp	7.4-update_7	7.4-update_7.x
liferay / dxp	7.4-update_9	7.4-update_9.x
liferay / dxp	7.4-update_8	7.4-update_8.x
liferay / dxp	7.4-update_10	7.4-update_10.x
liferay / dxp	7.4-update_11	7.4-update_11.x
liferay / dxp	7.4-update_12	7.4-update_12.x
liferay / dxp	7.4-update_14	7.4-update_14.x
liferay / dxp	7.4-update_13	7.4-update_13.x
liferay / dxp	7.4-update_15	7.4-update_15.x
liferay / dxp	7.4-update_16	7.4-update_16.x
liferay / dxp	7.4-update_18	7.4-update_18.x
liferay / dxp	7.4-update_17	7.4-update_17.x
liferay / dxp	7.4-update_19	7.4-update_19.x
liferay / dxp	7.4-update_20	7.4-update_20.x
liferay / dxp	7.4-update_21	7.4-update_21.x
liferay / dxp	7.4-update_22	7.4-update_22.x
liferay / dxp	7.4-update_23	7.4-update_23.x
liferay / dxp	7.4-update_24	7.4-update_24.x
liferay / dxp	7.4-update_25	7.4-update_25.x
liferay / dxp	7.4-update_26	7.4-update_26.x
liferay / dxp	7.3-update_1	7.3-update_1.x
liferay / dxp	7.3-update_2	7.3-update_2.x
liferay / dxp	7.3-update_3	7.3-update_3.x
liferay / dxp	7.3-update_4	7.3-update_4.x
liferay / dxp	7.3-update_5	7.3-update_5.x
liferay / dxp	7.3-sp1	7.3-sp1.x
liferay / dxp	7.3-sp2	7.3-sp2.x
liferay / dxp	7.3-sp3	7.3-sp3.x
liferay / dxp	7.4	7.4.x
liferay / liferay_portal	7.2.0	7.4.3.26
liferay / digital_experience_platform	7.2	7.2.x
liferay / digital_experience_platform	7.2-fix_pack_1	7.2-fix_pack_1.x
liferay / digital_experience_platform	7.2-fix_pack_2	7.2-fix_pack_2.x
liferay / digital_experience_platform	7.2-fix_pack_3	7.2-fix_pack_3.x
liferay / digital_experience_platform	7.2-fix_pack_5	7.2-fix_pack_5.x
liferay / digital_experience_platform	7.2-fix_pack_4	7.2-fix_pack_4.x
liferay / digital_experience_platform	7.2-fix_pack_6	7.2-fix_pack_6.x
liferay / digital_experience_platform	7.2-fix_pack_7	7.2-fix_pack_7.x
liferay / digital_experience_platform	7.2-fix_pack_8	7.2-fix_pack_8.x
liferay / digital_experience_platform	7.2-fix_pack_9	7.2-fix_pack_9.x
liferay / digital_experience_platform	7.2-fix_pack_10	7.2-fix_pack_10.x
liferay / digital_experience_platform	7.2-fix_pack_11	7.2-fix_pack_11.x
liferay / digital_experience_platform	7.2-fix_pack_14	7.2-fix_pack_14.x
liferay / digital_experience_platform	7.2-fix_pack_12	7.2-fix_pack_12.x
liferay / digital_experience_platform	7.2-fix_pack_13	7.2-fix_pack_13.x
liferay / digital_experience_platform	7.2-fix_pack_15	7.2-fix_pack_15.x
liferay / digital_experience_platform	7.2-fix_pack_16	7.2-fix_pack_16.x
liferay / digital_experience_platform	7.2-fix_pack_18	7.2-fix_pack_18.x
liferay / digital_experience_platform	7.2-fix_pack_17	7.2-fix_pack_17.x

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25144

Vulnerability Database

289,697

CVE-2024-25144