CVE-2025-43783Cross-site Scripting in Digital Experience Platform

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 92.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay Digital Experience PlatformLiferay PortalLiferay DXP+1 more
Timeline
PublishedSep 10

Description

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

NVDliferay/liferay_portal7.4.07.4.3.129
CVEListV5liferay/portal7.4.3.737.4.3.128
NVDliferay/digital_experience_platform2024.Q1.12024.Q1.13+3
CVEListV5liferay/dxp7.4.13-u737.4.13-u92+3

🔴Vulnerability Details

3
CVEList
CVE-2025-43783: Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 72025-09-10
OSV
Liferay Portal is vulnerable to Reflected XSS attack through get_editor path2025-09-10
GHSA
Liferay Portal is vulnerable to Reflected XSS attack through get_editor path2025-09-10
CVE-2025-43783 — Cross-site Scripting | cvebase