Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN285 _____________________________________________________________________ DATE : 07/05/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Liferay Portal versions prior to 7.4.3.132, Liferay DXP versions prior to 2024.Q1.13, Liferay DXP versions prior to 2024.Q4.6. ===================================================================== https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-4388 _____________________________________________________________________ CVE-2025-4388 Reflected XSS in marketplace-app-manager-web Description A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web. Severity 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Affected Version(s) Liferay Portal 7.4.0 through 7.4.3.131 Liferay DXP 2024.Q4.0 through DXP 2024.Q4.5 Liferay DXP 2024.Q3 Liferay DXP 2024.Q2 Liferay DXP 2024.Q1.1 through DXP 2024.Q1.12 Liferay DXP 7.4 Fixed Version(s) Liferay Portal 7.4.3.132 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q4.6 Acknowledgments This issue was reported by Shubham Shah - CTO @ Assetnote and Adam Kues - Security Researcher @ Assetnote Publication date: Tue, 06 May 2025 17:40:00 +0000 Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================