CVE-2025-2536: 
Java vulnerability analysis and mitigation

Cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and Liferay DXP's Frontend JS module's layout-taglib/liferay/index.js. The vulnerability affects multiple versions including Liferay Portal 7.4.3.82 through 7.4.3.128, and various Liferay DXP versions from 2023.Q3.1 through 2024.Q3.0. The vulnerability was disclosed on December 11, 2024, and has been assigned a CVSS v4.0 score of 5.1 (Medium) (Liferay Advisory).

The vulnerability exists in the Frontend JS module's layout-taglib/liferay/index.js component, where insufficient input validation of the toastData parameter allows for injection of malicious content. The vulnerability has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v4.0 vector string is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability allows remote attackers to inject arbitrary web script or HTML via the toastData parameter. This could potentially lead to the execution of malicious scripts in users' browsers, potentially compromising user data or enabling other client-side attacks (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal 7.4.3.129, Liferay DXP 2024.Q1.13, Liferay DXP 2024.Q3.1, or Liferay DXP 2024.Q4.0 (Liferay Advisory).

The vulnerability was discovered and reported by security researchers Dtro and TF1T of VietSunshine Cyber Security Services (Liferay Advisory).