Liferay: Reflected Cross-Site Scripting Vulnerability in Liferay Portal and DXP Blogs Module

In Liferay Portal and DXP versions 7.4.0 through 7.4.3.133, 7.4 GA through update 92 and 2024.Q1.1 through 2025.Q1.4 a medium severity vulnerability CVE-2025-4576 was detected. This vulnerability allows remote, non-authenticated attackers to perform reflected Cross-Site Scripting (XSS) by injecting malicious JavaScript into the blogs/entry_cover_image_caption.jsp component. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0, 2025.Q1.5 or 2024.Q1.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4576.