Liferay Portal, Stored XSS, CVE-2025-XXXXX (Moderate)

By /

Listen to this Post

The CVE describes a Stored Cross-Site Scripting vulnerability within the Membership page of Liferay Portal’s Account Settings. The flaw exists due to improper neutralization of user-controlled input before it is placed in the output. An attacker, who must be authenticated, can inject a malicious JavaScript payload into the “Name” text field during the account creation or modification process. This payload is not sanitized and is stored by the application. Whenever the compromised membership information is viewed, typically by an administrator or another user with appropriate permissions, the malicious script is executed in the victim’s browser context. This allows the attacker to perform actions on behalf of the victim, such as hijacking their session, defacing the site, or redirecting to malicious websites.
Platform: Liferay Portal/DXP
Version: 7.4.3.21-7.4.3.111
Vulnerability: Stored XSS
Severity: Moderate

date: 2025-10-11

Prediction: 2025-10-25

What Undercode Say:

Searching for potentially vulnerable endpoints in Liferay
find /liferay/tomcat/webapps/ROOT -name ".jsp" | xargs grep -l "MembershipPortlet"
Example of a malicious payload for the 'name' field
echo "Injecting: <script>alert('XSS')</script>"

// Proof-of-Concept payload
var maliciousName = "<img src=x onerror=alert(document.cookie)>";
// This payload would be submitted via the Account Settings form.

How Exploit:

1. Attacker logs into a low-privilege account.

2. Navigates to Account Settings -> Membership.

  1. Injects a crafted script into the “Name” field.
  2. The script is saved and stored by the portal.

5. An administrator views the membership list.

  1. The stored script executes in the admin’s browser session.

Protection from this CVE

Apply the official patch from Liferay.

Upgrade to Liferay Portal version 2.0.114 or later.

Implement a Web Application Firewall (WAF).

Enforce strict Content Security Policy (CSP) headers.

Perform rigorous input sanitization on all user fields.

Impact:

Session Hijacking

Account Takeover

Privilege Escalation

Data Theft

Site Defacement

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top