Listen to this Post
The vulnerability, CVE-2025-XXXX, stems from a flaw in the way Liferay Portal parses and validates domain names to determine their subdomain structure. The application incorrectly identifies the effective top-level domain (eTLD) for a given hostname. This flawed logic allows an attacker who controls a website sharing the same public suffix (e.g., .co.uk, .github.io) to be incorrectly recognized as belonging to the same parent domain. Consequently, the portal may set cookies with a broad `Domain` attribute, such as example.co.uk, instead of restricting it to a specific subdomain like site.example.co.uk. These overly permissive cookies, termed supercookies, are then transmitted by the user’s browser to any entity under that top-level domain, including attacker-controlled sites. This enables a remote attacker to harvest these sensitive session or authentication cookies, leading to a compromise of user sessions.
Platform: Liferay Portal/DXP
Version: 7.4.0-7.4.3.105
Vulnerability: Supercookie Creation
Severity: Moderate
date: 2025-09-15
Prediction: Patch by 2025-10-15
What Undercode Say:
curl -H "Host: attacker.example.co.uk" http://victim.example.co.uk/`document.cookie
<h2 style="color: blue;"></h2>Set-Cookie: JSESSIONID=…; Domain=.example.co.uk;
<h2 style="color: blue;"></h2>evil.github.io
<h2 style="color: blue;">How Exploit:</h2>
Attacker registers. User accessescompany.github.io, which sets a supercookie forDomain=.github.io. Browser sends this cookie toevil.github.io, allowing attacker to steal it via JavaScript (document.cookie`).
Protection from this CVE:
Apply vendor patch.
Configure application firewall.
Sanitize cookie domains.
Impact:
Session Hijacking
Information Disclosure
Cross-Site Request Forgery
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

