CVE-2025-4388

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.131 Liferay DXP versions 2024.Q1.1 through 2024.Q4.5

Description A reflected cross-site scripting (XSS) issue exists in Liferay Portal and DXP. A remote, unauthenticated attacker can inject JavaScript code into the /modules/apps/marketplace/marketplace-app-manager-web component. The attacker can exploit this by crafting a malicious URL containing the injected script. When a user clicks on this link, the browser executes the script, potentially allowing the attacker to gain access to the user's session and data. The exploit involves sending a crafted request to the /o/marketplace-app-manager-web/icon.jsp endpoint with a malicious iconURL parameter. The vulnerable parameter is iconURL.

Recommendations Liferay Portal versions 7.4.0 through 7.4.3.131: Update to a newer version. Liferay DXP versions 2024.Q1.1 through 2024.Q4.5: Update to a newer version.