Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field
Moderate severity
GitHub Reviewed
Published
Oct 8, 2025
to the GitHub Advisory Database
•
Updated Oct 9, 2025
Package
Affected versions
>= 6.0.5, < 6.0.134
Patched versions
6.0.134
Description
Published by the National Vulnerability Database
Oct 8, 2025
Published to the GitHub Advisory Database
Oct 8, 2025
Reviewed
Oct 9, 2025
Last updated
Oct 9, 2025
Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.
References