CVE-2025-43737
published 2025-08-19CVE-2025-43737: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through…
medium5.1CVSS 4.0
AVNACLATNPRLUIPVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| liferay | digital_experience_platform | >= 2025.Q1.0 < 2025.Q1.16 | 2025.Q1.16 |
| liferay | digital_experience_platform | >= 2025.Q2.0 < 2025.Q2.9 | 2025.Q2.9 |
| liferay | dxp | 2025.Q1.0 – 2025.Q1.15 | — |
| liferay | dxp | 2025.Q2.0 – 2025.Q2.8 | — |
| liferay | liferay_portal | 7.4.0 – 7.4.3.132 | — |
| liferay | portal | — | — |