Liferay XSS

MEDIUM (4.8) No Patch (58 days)
cwe-79apachejavaliferaymavenrcexss

Threat Intelligence

Low Risk
EPSS Score: 0.04% chance of exploitation (percentile: 12%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Liferay Portal is a Java-based enterprise portal solution used by some organizations for intranet and extranet applications. This vulnerability allows remote, authenticated attackers to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter, potentially leading to cross-site scripting (XSS) attacks.

Am I affected?

You're affected if you use Liferay Portal 7.4.0 through 7.4.3.132 or Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, or 2024.Q1.1 through 2024.Q1.19.

Check with: grep -r "DDMPortlet_definition" /opt/liferay/portal/webroot/WEB-INF/classes/*

Note: Liferay DXP is a different product from Liferay Portal, so if you don't recognize the name, you're probably not affected.

Affected Packages

maven: org.apache.liferay.portal:portal-webapp

Affected Products

Apache Software Foundation / Liferay Portal

How to fix

  1. Upgrade to Liferay Portal 7.4.3.132 or later.
  2. For immediate mitigation:
  3. Restrict network access to your Liferay instance (firewall it from the public internet)
  4. Audit admin account activity for suspicious access patterns
  5. Monitor for unauthorized token creation

References