Description
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameter.
Remediation
References
Related Vulnerabilities
Liferay Portal Cleartext Storage of Sensitive Information Vulnerability (CVE-2025-62261)
WordPress Ultimate Member Plugin Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-31216)
WordPress Plugin OG Tags Cross-Site Request Forgery (2.0.1)
Zope Web Application Server Other Vulnerability (CVE-2006-4684)