CVE-2025-2536

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.82 through 7.4.3.128 Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92

Description A cross-site scripting (XSS) issue exists in the Frontend JS module's layout-taglib/ liferay /index.js, allowing remote attackers to inject arbitrary web script or HTML via the toastData parameter.

Recommendations For Liferay Portal versions 7.4.3.82 through 7.4.3.128, consider disabling the layout-taglib/ liferay /index.js module until a patch is available. For Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92, restrict access to the Frontend JS module to minimize the risk of exploitation. Avoid using the toastData parameter in the affected module until the issue is resolved.