This only demonstrates a self XSS attack, as it requires the victim to the inject the payload themselves into the browser's console to trigger the payload.
A JavaScript injection vulnerability was discovered on https://www.globe.gov via the _com_liferay_login_web_portlet_LoginPortlet_redirect parameter. The value of this parameter is directly assigned to the global Liferay.SPA.loginRedirect variable without sanitization, introducing a client-side stored injection vector.
Although not executed immediately, this injected string remains accessible in the global scope and can be evaluated via eval(Liferay.SPA.loginRedirect) — a common pattern in Single Page Applications (SPAs) for dynamic routing or redirection logic. Once executed, it allows for arbitrary JavaScript execution, including the ability to load remote scripts (e.g., from Serveo/GitHub Pages), manipulate the DOM, and hijack session context.
This pattern introduces a dangerous XSS primitive with potential future exploitability, especially in SPAs where variables like loginRedirect may be consumed without re-validation. I have included a working PoC and video demo for reference.
Requesting disclosure consideration for educational and research transparency.
