Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp

Remediation

References

CVE-2025-4576

Related Vulnerabilities

PrestaShop Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2019-19595)

MySQL CVE-2017-10155 Vulnerability (CVE-2017-10155)

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2012-1580)

Contao Key Management Errors Vulnerability (CVE-2019-10643)

WordPress Plugin Elementor Website Builder Multiple Cross-Site Scripting Vulnerabilities (3.1.1)

Severity

Medium

Classification

CVE-2025-4576 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities