Listen to this Post
How the Mentioned CVE Works
The vulnerability CVE-2024-32017 is a Stored Cross-Site Scripting (XSS) flaw within Liferay’s web content management system. It originates in the ‘Name’ field for a web content structure. This field is intended for administrative labeling. However, the application fails to properly sanitize user input submitted to this field. When an authenticated user with content creation privileges injects a crafted JavaScript payload into the ‘Name’ attribute, the malicious script is stored in the database. The payload is then unsafely rendered into the HTML output of the web content administration interface. Subsequently, when another authenticated administrator views or manages the affected web content structure, the malicious script executes automatically within their browser session. This execution occurs in the context of the victim’s session, allowing the attacker to perform any actions the victim is authorized to do, such as stealing session cookies or modifying content.
DailyCVE Form
Platform: Liferay Portal/DXP
Version: 7.4.3.4-7.4.3.111
Vulnerability : Stored XSS
Severity: Medium
date: 2024-04-XX
Prediction: Patch expected Q2 2024
What Undercode Say:
Analytics
curl -s https://api.liferay.com/security/feed | grep CVE-2024-32017
// Example Payload for POC const payload = '<script>alert(document.cookie)</script>'; // Injected into Structure 'Name' field
How Exploit:
1. Authenticate as user.
2. Navigate to Web Content structures.
3. Inject script into name field.
4. Admin views structure triggering execution.
Protection from this CVE
- Input sanitization for user-controlled data.
- Implement Content Security Policy.
- Apply strict output encoding.
- Upgrade upon patch release.
Impact:
- Session hijacking
- Privilege escalation
- Unauthorized actions
- Data theft
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
