How the CVE Works:
This vulnerability exists in Liferay Portal’s `marketplace-app-manager-web` module due to improper input sanitization. An attacker crafts a malicious URL containing JavaScript payloads, which are reflected back in the response without proper encoding. When a victim clicks the manipulated link, the script executes in their browser, leading to session hijacking, phishing, or data theft. The flaw affects versions 7.4.0–7.4.3.131 and Liferay DXP 2024.Q4.0–2024.Q4.5, among others.
DailyCVE Form:
Platform: Liferay Portal
Version: 7.4.0–7.4.3.131
Vulnerability: Reflected XSS
Severity: Moderate
Date: May 6, 2025
What Undercode Say:
Exploitation:
1. Craft a malicious URL:
https://target.com/marketplace-app-manager-web?param=<script>alert(document.cookie)</script>
2. Social-engineer victims to click the link.
Mitigation:
- Upgrade to Liferay Portal ≥5.0.50 or apply patches.
2. Implement CSP headers:
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'
3. Sanitize inputs using OWASP ESAPI:
String safeInput = ESAPI.encoder().encodeForHTML(userInput);
Detection:
1. Scan with Burp Suite or ZAP:
zap-cli --zap-url http://localhost:8080/ active-scan -s XSS https://target.com
2. Check logs for suspicious `marketplace-app-manager-web` requests.
Additional Commands:
- Curl PoC:
curl -v "https://target.com/marketplace-app-manager-web?param=<script>confirm(1)</script>"
- Patch Verification:
grep -r "marketplace-app-manager-web" /liferay/home/ | grep -i "xss"
Analytics:
- Attack Vector: Network (HTTP)
- CVSS Score: 6.1 (Medium)
- Exploitability: Low (requires user interaction)
- Affected Components: `marketplace-app-manager-web` module.
(End of report, no additional commentary.)
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
