Liferay, Stored Cross-site Scripting, CVE-2025-29415 (Moderate)

Listen to this Post

The CVE-2025-29415 vulnerability exploits the `externalReferenceCode` parameter within Liferay’s `/o/c/` API endpoints for custom objects. This parameter’s input is not sufficiently sanitized before being persisted into the application’s data store. When the stored data is subsequently retrieved and rendered in a user’s browser, the malicious script embedded within the `externalReferenceCode` field is executed in the victim’s context. This attack vector allows a remote attacker to inject arbitrary JavaScript or HTML, leading to a stored cross-site scripting (XSS) attack whenever the compromised data is viewed.
Platform: Liferay Portal/DXP
Version: 7.4.3.51-7.4.3.109
Vulnerability: Stored XSS
Severity: Moderate

date: 2025-09-15

Prediction: Patch 2025-09-30

What Undercode Say:

`curl -X POST -H “Content-Type: application/json” -d ‘{“externalReferenceCode”: ““}’ “https://target/o/c/objects/”`

`nmap -p 80,443 –script http-security-headers target.com`

`grep -r “externalReferenceCode” /liferay/webapps/ROOT/`

How Exploit:

Craft a POST request to a `/o/c/` endpoint with a malicious payload in the `externalReferenceCode` JSON field. The payload is stored and executes when an admin views the relevant object entry in the control panel.

Protection from this CVE:

Apply vendor patch

Input sanitization

Output encoding

Impact:

Arbitrary script execution

Session hijacking

Privilege escalation

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top