CVE-2025-4599 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

2.0LOWNVD

EPSS

0.0%

top 93.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedAug 4

Latest updateAug 5

Description

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript into the fragment portlet URL.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.3.61 — 7.4.3.132

▶CVEListV5liferay/portal7.4.0 — 7.4.3.132

▶CVEListV5liferay/dxp7.4.13-u61 — 7.4.13-u92+4

▶NVDliferay/digital_experience_platform2024.q1.1 — 2024.q1.13+4

🔴Vulnerability Details

GHSA

GHSA-6mh8-4qwq-prc5: The fragment preview functionality in Liferay Portal 7↗2025-08-05

▶

CVEList

CVE-2025-4599: The fragment preview functionality in Liferay Portal 7↗2025-08-04

▶