CVE-2016-10404
Description
XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect field to modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Liferay Portal before 7.0 CE GA4 allows an attacker to inject arbitrary JavaScript via a crafted redirect field, leading to potential session hijacking or content redirection.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Liferay Portal versions before 7.0 CE GA4 in the file modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp [1]. The vulnerability is introduced because the value returned by spaUtil.getLoginRedirect(request) is rendered directly into a JavaScript string without HTML escaping [3]. The fix, introduced in commit 333f65bae9106182d12e02d249d4f95e16e93fa2, wraps the output with HtmlUtil.escapeJS() to sanitize the redirect field [3].
Exploitation
An attacker must be able to supply a crafted redirect parameter to the application, for example via a phishing link or by chaining with another vector that controls the redirect value. No special authentication is required if the affected component is accessible to unauthenticated users; the attacker only needs to lure a victim into visiting a crafted URL. The crafted redirect value can include JavaScript payloads, which will be executed in the context of the user's session when the SPA framework processes the login redirect [3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of sensitive information, defacement, or redirection to malicious sites. The impact is limited by the fact that the attacker controls only the redirect parameter, but the XSS runs in the context of the Liferay Portal domain, potentially affecting any user who triggers the vulnerable function.
Mitigation
The vulnerability is fixed in Liferay Portal 7.0 CE GA4 and later versions. Users should upgrade to at least GA4 or apply the patch that escapes the redirect value using HtmlUtil.escapeJS() [3]. No workarounds are documented; the only effective mitigation is to update Liferay Portal to a patched release [1]. For users on older versions, upgrading to the latest CE GA or migrating to Liferay DXP is recommended [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | < 7.0.3-ga4 | 7.0.3-ga4 |
Affected products
1Patches
1333f65bae910LPS-68469 Missing escape
1 file changed · +3 −2
modules/apps/foundation/frontend-js/frontend-js-spa-web/src/main/resources/META-INF/resources/init.jsp+3 −2 modified@@ -19,7 +19,8 @@ taglib uri="http://liferay.com/tld/theme" prefix="liferay-theme" %> <%@ page import="com.liferay.frontend.js.spa.web.internal.constants.SPAWebKeys" %><%@ page import="com.liferay.frontend.js.spa.web.internal.servlet.taglib.util.SPAUtil" %><%@ -page import="com.liferay.portal.kernel.language.LanguageUtil" %> +page import="com.liferay.portal.kernel.language.LanguageUtil" %><%@ +page import="com.liferay.portal.kernel.util.HtmlUtil" %> <liferay-theme:defineObjects /> @@ -33,7 +34,7 @@ SPAUtil spaUtil = (SPAUtil)request.getAttribute(SPAWebKeys.SPA_UTIL); Liferay.SPA.cacheExpirationTime = <%= spaUtil.getCacheExpirationTime(themeDisplay.getCompanyId()) %>; Liferay.SPA.clearScreensCache = <%= spaUtil.isClearScreensCache(request, session) %>; Liferay.SPA.excludedPaths = <%= spaUtil.getExcludedPaths() %>; - Liferay.SPA.loginRedirect = '<%= spaUtil.getLoginRedirect(request) %>'; + Liferay.SPA.loginRedirect = '<%= HtmlUtil.escapeJS(spaUtil.getLoginRedirect(request)) %>'; Liferay.SPA.requestTimeout = <%= spaUtil.getRequestTimeout() %>; Liferay.SPA.userNotification = { message: '<%= LanguageUtil.get(spaUtil.getLanguageResourceBundle(themeDisplay.getLocale()), "it-looks-like-this-is-taking-longer-than-expected") %>',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilitiesnvdIssue TrackingPatchVendor Advisory
- github.com/liferay/liferay-portal/commit/333f65bae9106182d12e02d249d4f95e16e93fa2nvdIssue TrackingPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-jmjf-cmq5-7w25ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10404ghsaADVISORY
- web.archive.org/web/20200601000000*/https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-70/-/asset_publisher/cjE0ourZXJZE/content/cst-7017-multiple-xss-vulnerabilitiesghsaWEB
News mentions
0No linked articles in our index yet.