CVE-2020-25476
Description
Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Blind persistent XSS in Liferay CMS Portal 7.1.3 and 7.2.1 via user profile name fields, allowing privilege escalation when an admin views the attacker's calendar.
Vulnerability
Overview
CVE-2020-25476 is a blind persistent cross-site scripting (XSS) vulnerability affecting Liferay CMS Portal versions 7.1.3 and 7.2.1. The root cause is the lack of proper sanitization of the getFullName() output when rendered in the Calendar portlet. An attacker can inject malicious payloads into their profile's username, lastname, or surname fields, which are then stored and later reflected without escaping in the calendar view of any user who interacts with that payload. The patch shown in the references adds HtmlUtil.escape() around the owner.getFullName() call, preventing the execution of injected scripts [1][2].
Attack
Vector and Prerequisites
To exploit this vulnerability, an attacker must have a valid user account on the Liferay portal. The attacker updates their own profile by embedding JavaScript in the username, lastname, or surname fields. When the attacker views any calendar event (essentially any calendar page), the malicious script is executed in the context of the attacker's session. However, for privilege escalation, the attacker must convince an administrator to view the attacker's calendar or a calendar that displays the attacker's name. No special authentication beyond a regular user account is required; the attack is blind because the attacker may not immediately see the execution result unless they trigger it themselves [3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who views the affected calendar, potentially leading to session hijacking, keylogging, or defacement. The most critical impact is privilege escalation: if an administrator views the attacker's calendar, the injected payload can perform actions under the admin's session, such as creating new admin accounts, modifying site settings, or exfiltrating sensitive data. The official NVD description confirms that an attacker could escalate their privileges if an admin visits the calendar [3].
Mitigation
Liferay has released cumulative patches for the affected versions, as referenced in the diffs [1][2]. The fix introduces output encoding using HtmlUtil.escape() on the getFullName() value before rendering it in the calendar. Users should upgrade to versions 7.2.1 GA2 or later (for the 7.2.x line) and 7.1.3 GA4 or later (for the 7.1.x line). Administrators should also review user profile settings and consider restricting the ability to modify certain fields if immediate patching is not possible. The main Liferay Portal source repository hosted on GitHub contains the fix in its release branches [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | <= 7.1.3 | — |
com.liferay.portal:release.portal.bomMaven | >= 7.2, <= 7.2.1 | — |
Affected products
2- Liferay/CMS Portaldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-pvpg-9553-f979ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-25476ghsaADVISORY
- github.com/community-security-team/liferay-portal/compare/7.1.3-ga4...7.1.3-cumulative.patchghsax_refsource_MISCWEB
- github.com/community-security-team/liferay-portal/compare/7.2.1-ga2...7.2.1-cumulative.patchghsax_refsource_MISCWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/119318646ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.