Liferay Portal Reflected XSS in blogs-web
Moderate severity
GitHub Reviewed
Published
Aug 8, 2025
to the GitHub Advisory Database
•
Updated Aug 8, 2025
Package
Affected versions
< 6.0.139
Patched versions
6.0.139
Description
Published by the National Vulnerability Database
Aug 8, 2025
Published to the GitHub Advisory Database
Aug 8, 2025
Reviewed
Aug 8, 2025
Last updated
Aug 8, 2025
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp
References