CVE-2025-4599: 
Liferay Portal vulnerability analysis and mitigation

CVE-2025-4599 is a Cross-Site Scripting (XSS) vulnerability discovered in the fragment preview functionality of Liferay Portal and Liferay DXP. The vulnerability was first reported on April 2, 2025, by Gareth Catterall from the AnchorSec security team. The affected versions include Liferay Portal 7.4.3.61 through 7.4.3.132, and multiple versions of Liferay DXP ranging from 2024.Q1.1 through 2024.Q4.5, as well as DXP 7.4 updates 61 through 92 (Liferay Advisory).

The vulnerability is classified as a postMessage-based XSS that allows remote non-authenticated attackers to inject JavaScript into the fragment portlet URL. The severity of this vulnerability has been assessed with a CVSS v4.0 score of 2.0 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (Liferay Advisory).

The vulnerability allows attackers to perform Cross-Site Scripting attacks through the fragment preview functionality, potentially leading to unauthorized JavaScript execution in the context of the application (Liferay Advisory).

The vulnerability has been fixed in several versions including Liferay Portal on the master branch, Liferay DXP 2024.Q1.14, Liferay DXP 2024.Q4.6, and Liferay DXP 2025.Q1.0. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).