{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47078?format=json","vulnerability_id":"VCID-hrnu-4t2j-9qba","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via crafted javascript: style links.","aliases":[{"alias":"CVE-2024-25147"},{"alias":"GHSA-xpjg-7hx7-wgcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68843?format=json","purl":"pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5vyh-n1sc-sydy"},{"vulnerability":"VCID-7gqd-78yq-r3be"},{"vulnerability":"VCID-9yw4-52sc-rbbz"},{"vulnerability":"VCID-ebmm-3qj1-8uec"},{"vulnerability":"VCID-euw1-6mk1-n3he"},{"vulnerability":"VCID-fxtu-zgpf-cbhs"},{"vulnerability":"VCID-gp4p-wthk-k3hf"},{"vulnerability":"VCID-menx-yu2z-xkeh"},{"vulnerability":"VCID-p4nc-ucxy-sydb"},{"vulnerability":"VCID-rtqu-78p2-buej"},{"vulnerability":"VCID-vsg8-h11j-63ge"},{"vulnerability":"VCID-xu7c-vz69-duhp"},{"vulnerability":"VCID-zc36-wq6m-4bbn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.10.fp15"},{"url":"http://public2.vulnerablecode.io/api/packages/68816?format=json","purl":"pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cxnv-25bg-rubj"},{"vulnerability":"VCID-ef5k-bdxm-xfer"},{"vulnerability":"VCID-euw1-6mk1-n3he"},{"vulnerability":"VCID-menx-yu2z-xkeh"},{"vulnerability":"VCID-rtqu-78p2-buej"},{"vulnerability":"VCID-xwgk-d28b-rbgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.10.u4"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60856?format=json","purl":"pkg:maven/com.liferay.portal/release.dxp.bom@7.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17tm-rzgk-qfas"},{"vulnerability":"VCID-1h16-mptk-gke7"},{"vulnerability":"VCID-2dc6-guhs-juhy"},{"vulnerability":"VCID-4mcy-yw2p-v7bd"},{"vulnerability":"VCID-5vyh-n1sc-sydy"},{"vulnerability":"VCID-67kh-3nge-vfhg"},{"vulnerability":"VCID-68kz-zfvf-7ucw"},{"vulnerability":"VCID-6r32-cn35-sqcb"},{"vulnerability":"VCID-6yj4-11z6-pfhx"},{"vulnerability":"VCID-7gqd-78yq-r3be"},{"vulnerability":"VCID-7zhe-ztqw-gkhh"},{"vulnerability":"VCID-84qe-1wws-v3g6"},{"vulnerability":"VCID-a93n-jcyj-s7cb"},{"vulnerability":"VCID-b7h9-cxkj-hkc8"},{"vulnerability":"VCID-c4kq-8dpb-bkc7"},{"vulnerability":"VCID-d7nb-6hvn-cueh"},{"vulnerability":"VCID-eaks-bevz-uuc8"},{"vulnerability":"VCID-f9dw-g5c2-jba1"},{"vulnerability":"VCID-ggs5-4zac-vqa7"},{"vulnerability":"VCID-gp4p-wthk-k3hf"},{"vulnerability":"VCID-gv7c-qump-nyds"},{"vulnerability":"VCID-gz3a-m337-s7dn"},{"vulnerability":"VCID-h261-uqtv-yfek"},{"vulnerability":"VCID-hrnu-4t2j-9qba"},{"vulnerability":"VCID-hw1d-gdcv-vkec"},{"vulnerability":"VCID-jarq-qchk-nkc1"},{"vulnerability":"VCID-jkje-ckr9-6ffp"},{"vulnerability":"VCID-jr2w-84ez-3kg2"},{"vulnerability":"VCID-k1u8-ur3y-zucd"},{"vulnerability":"VCID-k29y-9nww-cuh6"},{"vulnerability":"VCID-k6d6-hyep-pbac"},{"vulnerability":"VCID-m1tw-29pq-h3gw"},{"vulnerability":"VCID-menx-yu2z-xkeh"},{"vulnerability":"VCID-p7s6-d63y-4ffb"},{"vulnerability":"VCID-p9am-1rhf-6bh2"},{"vulnerability":"VCID-pczz-39pz-37bb"},{"vulnerability":"VCID-q23w-uet7-w7fz"},{"vulnerability":"VCID-qar1-pfr5-ekfm"},{"vulnerability":"VCID-qks2-mqk8-wffq"},{"vulnerability":"VCID-sn9p-y571-ffej"},{"vulnerability":"VCID-t51p-askk-pfcx"},{"vulnerability":"VCID-ub82-jbgf-mfb8"},{"vulnerability":"VCID-uug8-ap5n-r3g2"},{"vulnerability":"VCID-vrqa-ggse-wqhn"},{"vulnerability":"VCID-wwhx-5znm-nyea"},{"vulnerability":"VCID-x13m-kscr-nkbf"},{"vulnerability":"VCID-x7ny-9pvm-77eh"},{"vulnerability":"VCID-xe2v-j69t-d3h3"},{"vulnerability":"VCID-xuaz-p5q4-8beh"},{"vulnerability":"VCID-ydhb-8z5m-v7fb"},{"vulnerability":"VCID-yq5x-4eyq-m7ba"},{"vulnerability":"VCID-yump-6eg9-9yeq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/60857?format=json","purl":"pkg:maven/com.liferay.portal/release.dxp.bom@7.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fqz-psdf-g7dm"},{"vulnerability":"VCID-1h16-mptk-gke7"},{"vulnerability":"VCID-266t-4gfq-duh4"},{"vulnerability":"VCID-298n-mh47-3ygq"},{"vulnerability":"VCID-38vz-usgx-g7dv"},{"vulnerability":"VCID-4mcy-yw2p-v7bd"},{"vulnerability":"VCID-7f43-u96s-qyeq"},{"vulnerability":"VCID-7gqd-78yq-r3be"},{"vulnerability":"VCID-7zhe-ztqw-gkhh"},{"vulnerability":"VCID-a7z8-2fzy-2qee"},{"vulnerability":"VCID-a93n-jcyj-s7cb"},{"vulnerability":"VCID-b7h9-cxkj-hkc8"},{"vulnerability":"VCID-cxnv-25bg-rubj"},{"vulnerability":"VCID-e5c7-wsvb-dyfm"},{"vulnerability":"VCID-ef5k-bdxm-xfer"},{"vulnerability":"VCID-ggs5-4zac-vqa7"},{"vulnerability":"VCID-gz3a-m337-s7dn"},{"vulnerability":"VCID-h261-uqtv-yfek"},{"vulnerability":"VCID-hhmu-vsj9-gudx"},{"vulnerability":"VCID-hrnu-4t2j-9qba"},{"vulnerability":"VCID-hw1d-gdcv-vkec"},{"vulnerability":"VCID-k1u8-ur3y-zucd"},{"vulnerability":"VCID-k6d6-hyep-pbac"},{"vulnerability":"VCID-k7yh-fkj8-t3fx"},{"vulnerability":"VCID-k9yt-aj7x-3bht"},{"vulnerability":"VCID-menx-yu2z-xkeh"},{"vulnerability":"VCID-mph8-zzjv-67av"},{"vulnerability":"VCID-n6qs-hded-rydp"},{"vulnerability":"VCID-p9am-1rhf-6bh2"},{"vulnerability":"VCID-q7bs-639b-pken"},{"vulnerability":"VCID-tqvb-a46r-jbf8"},{"vulnerability":"VCID-uu3m-ef36-jqg7"},{"vulnerability":"VCID-uug8-ap5n-r3g2"},{"vulnerability":"VCID-x7ny-9pvm-77eh"},{"vulnerability":"VCID-xa5h-2khm-efgj"},{"vulnerability":"VCID-xe2v-j69t-d3h3"},{"vulnerability":"VCID-xuaz-p5q4-8beh"},{"vulnerability":"VCID-xwgk-d28b-rbgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.dxp.bom@7.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/65211?format=json","purl":"pkg:maven/com.liferay.portal/release.portal.bom@7.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fn6-apud-qbh4"},{"vulnerability":"VCID-37ph-hjq9-bufq"},{"vulnerability":"VCID-4611-azkf-sffv"},{"vulnerability":"VCID-7tas-6nn4-9fhu"},{"vulnerability":"VCID-afe9-yqy2-8bdb"},{"vulnerability":"VCID-bbzr-zx1c-m3ck"},{"vulnerability":"VCID-bg89-tyhn-sfc3"},{"vulnerability":"VCID-dt2w-w4vw-1yhe"},{"vulnerability":"VCID-gaqh-vn1h-b3c1"},{"vulnerability":"VCID-hrnu-4t2j-9qba"},{"vulnerability":"VCID-k1u8-ur3y-zucd"},{"vulnerability":"VCID-msd2-mccp-z7cv"},{"vulnerability":"VCID-pdbx-p4mr-97h4"},{"vulnerability":"VCID-qrgm-94me-83hz"},{"vulnerability":"VCID-y8xm-g4zt-b7b5"},{"vulnerability":"VCID-zmf4-acz8-s3a2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.liferay.portal/release.portal.bom@7.4.1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-25147","reference_id":"","reference_type":"","scores":[{"value":"0.00147","scoring_system":"epss","scoring_elements":"0.34827","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-25147"},{"reference_url":"https://github.com/liferay/liferay-portal","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/liferay/liferay-portal"},{"reference_url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147","reference_id":"CVE-2024-25147","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T16:15:43Z/"}],"url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25147","reference_id":"CVE-2024-25147","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25147"},{"reference_url":"https://github.com/advisories/GHSA-xpjg-7hx7-wgcx","reference_id":"GHSA-xpjg-7hx7-wgcx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xpjg-7hx7-wgcx"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":79,"name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":"0.5","weighted_severity":"9.0","risk_score":4.5,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hrnu-4t2j-9qba"}