Moderate severityNVD Advisory· Published Mar 19, 2025· Updated Mar 21, 2025
CVE-2025-2536
CVE-2025-2536
Description
Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module's layout-taglib/__liferay__/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.dxp.bomMaven | >= 2024.Q2.0, <= 2024.Q2.11 | — |
com.liferay.portal:release.portal.bomMaven | >= 7.4.3.82, < 7.4.3.129 | 7.4.3.129 |
com.liferay.portal:release.dxp.bomMaven | >= 2024.Q1.1, < 2024.Q1.13 | 2024.Q1.13 |
com.liferay.portal:release.dxp.bomMaven | >= 2023.Q4.0, < 2024.Q4.0 | 2024.Q4.0 |
com.liferay.portal:release.dxp.bomMaven | >= 2023.Q3.1, < 2024.Q4.0 | 2024.Q4.0 |
com.liferay.portal:release.dxp.bomMaven | >= 2024.Q3.0, < 2024.Q3.1 | 2024.Q3.1 |
Affected products
4- ghsa-coords2 versions
>= 2024.Q2.0, <= 2024.Q2.11+ 1 more
- (no CPE)range: >= 2024.Q2.0, <= 2024.Q2.11
- (no CPE)range: >= 7.4.3.82, < 7.4.3.129
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.