Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-4388Cross-site Scripting in Digital Experience Platform

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.9MEDIUMNVD
EPSS
25.1%
top 3.82%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
Liferay Digital Experience PlatformLiferay PortalLiferay DXP+1 more
Timeline
PublishedMay 6

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

NVDliferay/liferay_portal7.4.07.4.3.132
CVEListV5liferay/portal7.4.07.4.3.131
NVDliferay/digital_experience_platform2024.Q1.12024.Q1.13+2
CVEListV5liferay/dxp7.4.137.4.13-u92+4

🔴Vulnerability Details

3
GHSA
Liferay Portal Reflected XSS in marketplace-app-manager-web2025-05-06
OSV
Liferay Portal Reflected XSS in marketplace-app-manager-web2025-05-06
CVEList
CVE-2025-4388: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 72025-05-06

💥Exploits & PoCs

1
Nuclei
Liferay Portal - Cross-Site Scripting
CVE-2025-4388 — Cross-site Scripting | cvebase