CVE-2025-4576

Summary

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.0 <= 7.4.3.132affected
LiferayDXP7.4.13 <= 7.4.13-u92affected
LiferayDXP2024.Q1.1 <= 2024.Q1.15affected
LiferayDXP2024.Q2.0 <= 2024.Q2.13affected
LiferayDXP2024.Q3.1 <= 2024.Q3.13affected
LiferayDXP2024.Q4.0 <= 2024.Q4.7affected
LiferayDXP2025.Q1.0 <= 2025.Q1.4affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References