Liferay DXP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-4599 - Vulnerability Database

Liferay DXP

Liferay DXP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-4599

Medium

Reference: CVE-2025-4599

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-4599

Title: Liferay DXP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132 and Liferay DXP 2024.Q4.1 through 2024.Q4.5 2024.Q3.1 through 2024.Q3.13 2024.Q2.0 through 2024.Q2.13 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript into the fragment portlet URL.