CVE-2025-43737 — Cross-site Scripting in Digital Experience Platform

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 91.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP Liferay Portal +1 more

Timeline

PublishedAug 19

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.132

▶CVEListV5liferay/portal7.4.3.132

▶NVDliferay/digital_experience_platform2025.Q1.0 — 2025.Q1.16+1

▶CVEListV5liferay/dxp2025.Q1.0 — 2025.Q1.15+1

🔴Vulnerability Details

CVEList

CVE-2025-43737: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7↗2025-08-19

▶

GHSA

Liferay Portal Vulnerable to Cross-Site Scripting via backURL Paramter↗2025-08-19

▶

OSV

Liferay Portal Vulnerable to Cross-Site Scripting via backURL Paramter↗2025-08-19

▶