CVE-2025-43756 — Cross-site Scripting in Digital Experience Platform

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 90.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP Liferay Portal +1 more

Timeline

PublishedAug 21

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

▶CVEListV5liferay/portal7.4.3.132

▶NVDliferay/liferay_portal7.4.3.132

▶NVDliferay/digital_experience_platform2024.q1.1 — 2024.q1.20+2

▶CVEListV5liferay/dxp2024.Q1.13 — 2024.Q1.19+2

🔴Vulnerability Details

CVEList

CVE-2025-43756: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7↗2025-08-21

▶

OSV

Liferay Portal Reflected Cross-Site Scripting Vulnerability via snippet Parameter↗2025-08-21

▶

GHSA

Liferay Portal Reflected Cross-Site Scripting Vulnerability via snippet Parameter↗2025-08-21

▶