CNNVD-202508-264 Information

CNNVD ID

CNNVD-202508-264

Related CVE

CVE-2025-4599

• CNNVD Published: 2025-08-04

Description (Chinese)

Liferay Portal是美国Liferay公司的一套基于J2EE的门户解决方案。该方案使用了EJB以及JMS等技术，并可作为Web发布和共享工作区、企业协作平台、社交网络等。 Liferay Portal存在跨站脚本漏洞，该漏洞源于片段预览功能允许注入JavaScript，可能导致基于postMessage的跨站脚本攻击。

Description (English)

Liferay Portal is a portal solution based on J2EE for the United States company Liferay. The programme uses technologies such as EJB and JMS, and can be used as a Web-based workspace, corporate collaboration platform, social networking etc. Liferay Portal had a cross-site script loophole, which stemmed from the fact that the video preview function allowed for the injection of JavaScript, which could result in a cross-site attack based on postMessage.

Hazard Level

Critical

Vulnerability Type

跨站脚本

Affected Vendor

Liferay

Published

2025-08-04

Last Modified

2026-02-24

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4599 https://access.redhat.com/security/cve/cve-2025-4599

Patch

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4599