CVE-2025-4388: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and Liferay DXP, affecting versions 7.4.0 through 7.4.3.131, and various DXP versions including 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12. The vulnerability was disclosed on May 6, 2025, and allows remote non-authenticated attackers to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web component (Liferay Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD, Wiz).

The vulnerability allows remote attackers without authentication to inject malicious JavaScript code into the marketplace-app-manager-web module. This could potentially lead to the execution of unauthorized code in users' browsers, potentially compromising user sessions and sensitive information (Wiz).

The vulnerability has been patched in Liferay Portal version 7.4.3.132, Liferay DXP 2024.Q1.13, and Liferay DXP 2024.Q4.6. Users are strongly advised to upgrade to these fixed versions to mitigate the risk (Liferay Advisory).

The vulnerability was discovered and reported by security researchers Shubham Shah (CTO at Assetnote) and Adam Kues (Security Researcher at Assetnote), demonstrating ongoing security research efforts in the Liferay ecosystem (Liferay Advisory).