-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis indicates that the root cause of the vulnerability is not within the core Liferay Portal application code but in a third-party dependency, liferay-ckeditor. The provided commit confirms this by showing a version bump of this dependency as the fix. The vulnerability is a classic reflected XSS flaw in a sample file (ajax.html) that was likely not intended for production use but was accessible. The exploitation of this vulnerability involves an attacker tricking a user into clicking a specially crafted link. When the user's browser loads the ajax.html page from this link, the embedded malicious script from the URL is executed. A runtime profiler would not show any server-side Java functions related to this vulnerability, as the flaw is entirely on the client side. Instead, a browser's developer tools would show the execution of an inline script within the ajax.html file, which is the runtime indicator of this vulnerability being triggered.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay:com.liferay.frontend.editor.ckeditor.web | maven | < 5.0.107 | 5.0.107 |
| com.liferay:com.liferay.frontend.js.dependencies.web | maven | < 1.0.25 | 1.0.25 |
| liferay-ckeditor | npm | < 4.21.0-liferay.10 | 4.21.0-liferay.10 |
Ongoing coverage of React2Shell