Listen to this Post
The mentioned CVE describes a stored cross-site scripting (XSS) vulnerability within Liferay Portal and Liferay DXP. The flaw exists due to improper neutralization of input before it is placed in web pages. Specifically, the application fails to adequately sanitize user-supplied input within the “” field of an Account Role and the “Name” field of an Organization. When a malicious actor with the necessary permissions to create or edit these entities injects a crafted script payload, that payload is stored persistently in the database. The vulnerability is then triggered when the affected pages, such as the view account role page or select account organization page, are subsequently rendered. The application serves the stored, malicious script to other users’ browsers, which executes in the context of the victim’s session. This allows the attacker to perform any actions the user is authorized to do, access sensitive data, or deface the website.
Platform: Liferay Portal/DXP
Version: 7.3.7-7.4.3.103
Vulnerability: Stored XSS
Severity: Moderate
date: 2025-10-27
Prediction: Patch available
What Undercode Say:
`curl -s “https://localhost:8080/web/guest/view-account-role” | grep -i “script”`
`nmap -p 8080 –script http-domxref-xss localhost`
``
How Exploit:
Craft malicious script payload.
Inject into Role field.
Victim views page, script executes.
Protection from this CVE
Apply vendor patch.
Implement input sanitization.
Use Content Security Policy.
Impact:
Session hijacking.
Data theft.
Site defacement.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
