CVE-2025-43753 — Cross-site Scripting in Digital Experience Platform

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

2.1LOWNVD

EPSS

0.0%

top 91.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP Liferay Portal +1 more

Timeline

PublishedAug 21

Latest updateAug 22

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

▶NVDliferay/digital_experience_platform2024.Q1.1 — 2024.Q1.17+5

▶CVEListV5liferay/portal7.4.3.32 — 7.4.3.132

▶NVDliferay/liferay_portal7.4.3.32 — 7.4.3.132

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+5

🔴Vulnerability Details

OSV

Liferay Portal Reflected Cross-Site Scripting Vulnerability via Form Container↗2025-08-22

▶

GHSA

Liferay Portal Reflected Cross-Site Scripting Vulnerability via Form Container↗2025-08-22

▶

CVEList

CVE-2025-43753: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7↗2025-08-21

▶