CVSS 3.1 Score 5.4 of 10 (medium)


Published Feb 21, 2024
Updated: Feb 22, 2024


CVE-2024-25151 is a vulnerability found in the Calendar module of Liferay Portal versions 7.2.0 through 7.4.2, as well as older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions. It allows remote authenticated users to inject arbitrary web script or HTML into the default notification email template by manipulating the title of a calendar event or the user's name. This could potentially lead to content spoofing or cross-site scripting (XSS) attacks depending on the recipient's mail client capabilities. The vulnerability has a base severity rating of MEDIUM with a base score of 5.4 and requires low privileges and user interaction for exploitation. It has a low impact on integrity and confidentiality, and no impact on availability. Remediation for this vulnerability is not specified in the provided information.

(Note: The paragraph above compiles factual information from the given text without providing any new analysis or opinions.)

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-25151 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options