CVE-2025-4599

MEDIUM

Liferay DXP 2024.Q1.1-2024.Q1.13 - Unauthenticated XSS via Fragment Preview postMessage

Title source: llm

Description

The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript into the fragment portlet URL.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4599

Scores

CVSS v3 6.1

EPSS 0.0005

EPSS Percentile 14.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

liferay/digital_experience_platform 7.4 (33 CPE variants)

liferay/digital_experience_platform 2024.q1.1 - 2024.q1.13

liferay/liferay_portal 7.4.3.61 - 7.4.3.132

Published Aug 04, 2025

Tracked Since Feb 18, 2026