Listen to this Post
The CVE-2025-45421 vulnerability is a stored Cross-Site Scripting (XSS) flaw within the Commerce Search Result widget of Liferay Portal and DXP. The vulnerability exists because the application fails to properly sanitize user-supplied input before rendering it in the web page. Specifically, an attacker with permissions to create or edit a Commerce Product can inject a malicious JavaScript payload into the product’s “Name” field. This payload is then stored in the database. When a victim user, such as an administrator or customer, later views a page containing the compromised Commerce Search Result widget, the malicious script is executed in the victim’s browser context. This allows the attacker to perform actions on behalf of the victim, such as stealing session cookies or performing unauthorized state-changing requests, without any interaction from the victim beyond viewing the compromised page.
Platform: Liferay Portal/DXP
Version: 7.4.0-7.4.3.111
Vulnerability: Stored XSS
Severity: Moderate
date: 2025-10-07
Prediction: Patch available
What Undercode Say:
curl -s "https://localhost:8080/api/commerce/product" | grep -i "script"
// Example malicious payload for Name field <img src=x onerror=alert(document.cookie)>
How Exploit:
1. Attacker gains product edit access.
2. Injects malicious script into product name.
- Script executes for any user viewing search results.
Protection from this CVE
Apply official patches: Liferay Portal 7.4.3.112 and DXP 2023.Q4 patch 6.
Impact:
Session hijacking
Unauthorized actions
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
