Reflected Cross-Site Scripting Vulnerability in Liferay Portal and DXP
CVE-2025-4388

6.9MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 6 May 2025

Summary

A reflected cross-site scripting (XSS) vulnerability exists in Liferay Portal versions 7.4.0 to 7.4.3.131, and multiple versions of Liferay DXP, allowing remote attackers to exploit this flaw. The vulnerability enables an unauthenticated attacker to inject malicious JavaScript code into the marketplace app manager web interface. Successful exploitation could lead to unauthorized actions being performed on behalf of the user, making it imperative for affected installations to be patched promptly.

Affected Version(s)

DXP 7.4.13 <= 7.4.13-u92

DXP 2024.Q1.1 <= 2024.Q1.12

DXP 2024.Q2.0 <= 2024.Q2.13

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
May 6, 2025
Vulnerability Reserved
May 6, 2025

Credit

Shubham Shah - CTO @ Assetnote

Adam Kues - Security Researcher @ Assetnote