CVE-2025-43756: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2…

medium6.9CVSS 4.0

AVNACLATNPRNUINVCLVILVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.

Affected

8 ranges

Vendor	Product	Version range	Fixed in
liferay	digital_experience_platform	>= 2024.q1.1 < 2024.q1.20	2024.q1.20
liferay	digital_experience_platform	>= 2025.Q1.0 < 2025.Q1.16	2025.Q1.16
liferay	digital_experience_platform	>= 2025.Q2.0 < 2025.Q2.3	2025.Q2.3
liferay	dxp	2024.Q1.13 – 2024.Q1.19	—
liferay	dxp	2025.Q1.0 – 2025.Q1.15	—
liferay	dxp	2025.Q2.0 – 2025.Q2.2	—
liferay	liferay_portal	—	—
liferay	portal	—	—