Listen to this Post
How the mentioned CVE works:
This CVE exploits a failure to properly sanitize user input within Liferay Portal’s commerce module. An attacker with the necessary permissions to create or edit “Terms and Conditions” records can inject malicious JavaScript code into the “Name” field for either Payment Terms or Delivery Terms. This unsanitized input is then stored in the database. When a victim, such as an administrator or another user, later views an order page that displays these terms, the malicious script is retrieved from the database and executed within the victim’s browser session. This allows the attacker to perform actions on behalf of the victim, such as stealing session cookies or performing unauthorized state-changing requests.
Platform: Liferay Portal/DXP
Version: 7.4.3.15-7.4.3.111
Vulnerability : Stored XSS
Severity: Moderate
date: 2025-10-07
Prediction: 2025-10-23
What Undercode Say:
curl -X POST 'http://<liferay-host>/o/headless-commerce-admin-order/v1.0/terms' \
-H 'Content-Type: application/json' \
-H 'Cookie: <admin-cookie>' \
-d '{"name": "<script>alert(document.cookie)</script>", "type": "payment-terms"}'
// Payload stored in Terms Name field <img src=x onerror=stealCookies()>
GET /group/guest/~/control_panel/manage?p_p_id=com_liferay_commerce_order_content_web_internal_portlet_CommerceOrderContentPortlet HTTP/1.1
How Exploit:
1. Attacker logs into Liferay.
- Navigates to Commerce -> Settings -> Terms and Conditions.
3. Creates a new Payment Term.
4. Injects malicious script into “Name” field.
5. Saves the term.
- Victim views any order using the malicious term.
7. Script executes in victim’s context.
Protection from this CVE:
Apply official patch.
Sanitize all user inputs.
Implement Content Security Policy.
Escape dynamic content output.
Use HTTPOnly cookies.
Impact:
Session hijacking.
Unauthorized actions.
Data theft.
Privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
