CVE-2025-43779 — Cross-site Scripting in Digital Experience Platform

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 91.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 24

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet_productTypeName parameter. This malicious payload is then reflected and executed within the user's browser.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.113

▶CVEListV5liferay/portal7.4.0 — 7.4.3.112

▶NVDliferay/digital_experience_platform2024.Q1.1 — 2024.Q1.19+1

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+1

🔴Vulnerability Details

GHSA

GHSA-687m-mwvq-fx42: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7↗2025-09-24

▶

CVEList

CVE-2025-43779: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7↗2025-09-24

▶