Listen to this Post
This CVE describes a Stored Cross-Site Scripting vulnerability within the Forms module of Liferay Portal and DXP. The flaw exists in the handling of rich text type fields. When a form is created containing a rich text field, the application fails to properly sanitize user-supplied input before it is permanently stored and subsequently displayed. A remote attacker can submit a crafted payload containing malicious JavaScript or HTML within this field. Unlike Reflected XSS, the malicious script is saved on the server. It is then executed automatically in the browser of any other user who views the submitted form entry, such as an administrator reviewing responses, without requiring any further interaction. This allows the attacker to perform actions within the context of the victim’s session.
DailyCVE Form:
Platform: Liferay Portal/DXP
Version: 7.3.2-7.4.3.111
Vulnerability : Stored XSS
Severity: Moderate
date: 2025-10-08
Prediction: 2025-10-22
What Undercode Say:
`curl -s “https://api.github.com/advisories” | jq ‘.[] | select(.severity == “moderate”)’`
`docker run -p 8080:8080 liferay/portal:7.4.3.111`
``
How Exploit:
Craft malicious script.
Inject into rich text field.
Submit form.
Admin views entry.
Script executes automatically.
Protection from this CVE
Apply vendor patch.
Sanitize rich text input.
Implement Content Security Policy.
Escape dynamic content.
Impact:
Session hijacking.
Account takeover.
Defacement.
Data theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
