Reflected Cross-Site Scripting Vulnerability in Liferay Portal and DXP
CVE-2025-4388
What is CVE-2025-4388?
CVE-2025-4388 is a reflected cross-site scripting (XSS) vulnerability found in the Liferay Portal and Liferay Digital Experience Platform (DXP). This vulnerability affects versions 7.4.0 through 7.4.3.131 of Liferay Portal and various builds of Liferay DXP, specifically from major releases 2024.Q4 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12, as well as the 7.4 GA version up to update 92. The flaw allows a remote, unauthenticated attacker to inject malicious JavaScript code into the application through its marketplace-related web module. This type of vulnerability can lead to numerous adverse effects for organizations, including unauthorized manipulation of website content, theft of sensitive user information, and the potential for broader attacks on user clients who interact with the affected application.
Potential impact of CVE-2025-4388
-
Unauthorized Access and Data Theft: Attackers can exploit this vulnerability to inject malicious scripts that may capture sensitive data, including user credentials and personal information, compromising user accounts and leading to significant data breaches.
-
Reputation Damage: Organizations that fall victim to such vulnerabilities may suffer reputational harm among their user base and industry peers, potentially leading to a loss of customer trust and brand loyalty.
-
Financial Loss: Beyond reputational damage, organizations may incur direct financial losses due to remediation efforts, potential legal liabilities associated with data breaches, and disruptions in service functionality resulting from the exploitation of the vulnerability.
Affected Version(s)
DXP 7.4.13 <= 7.4.13-u92
DXP 2024.Q1.1 <= 2024.Q1.12
DXP 2024.Q2.0 <= 2024.Q2.13
References
EPSS Score
6% chance of being exploited in the next 30 days.
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved