Security Listings

5.1

CVE-2025-2536 DOM based XSS at /o/layout-taglib/liferay/index.js

Description

Cross-site scripting (XSS) vulnerability on Liferay Portal and Liferay DXP in the Frontend JS module's layout-taglib/__liferay__/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter

Severity

5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)

Affected Version(s)

Liferay Portal 7.4.3.82 through 7.4.3.128
Liferay DXP 2024.Q3.0
Liferay DXP 2024.Q2.0 throguh 2024.Q2.12
Liferay DXP 2024.Q1.1 through 2024.Q1.12
Liferay DXP 2023.Q4.0 through 2023.Q4.10
Liferay DXP 2023.Q3.1 through 2023.Q3.10
Liferay DXP 7.4 update 82 through update 92

Fixed Version(s)

Liferay Portal 7.4.3.129
Liferay DXP 2024.Q1.13
Liferay DXP 2024.Q3.1
Liferay DXP 2024.Q4.0

Acknowledgments

Dtro and TF1T of VietSunshine Cyber Security Services

CVE-2025-2536

Publication Date:

Dezember 11, 2024

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback

Security Listings

CVE-2025-2536 DOM based XSS at /o/layout-taglib/__liferay__/index.js

Description

Severity

Affected Version(s)

Fixed Version(s)

Acknowledgments

CVE-2025-2536

Found a Bug?

Found a Security Vulnerability?

Hall of Fame!

CVE-2025-2536 DOM based XSS at /o/layout-taglib/liferay/index.js