CVE-2025-43786 — Cross-site Scripting in Digital Experience Platform

CWE-79 — Cross-site Scripting CWE-203 — Observable Discrepancy CWE-208 — Observable Timing Discrepancy CWE-835 — Infinite Loop5 documents5 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 90.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 9

Description

Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.129

▶CVEListV5liferay/portal7.4.0 — 7.4.3.128

▶NVDliferay/digital_experience_platform2024.Q1.1 — 2024.Q1.13+3

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+3

🔴Vulnerability Details

GHSA

Liferay Portal exposes ERC which can lead to exploit the time response attack↗2025-09-09

▶

OSV

Liferay Portal exposes ERC which can lead to exploit the time response attack↗2025-09-09

▶

CVEList

CVE-2025-43786: Enumeration of ERC from object entry in Liferay Portal 7↗2025-09-09

▶

📋Vendor Advisories

Microsoft

Libx11: stack exhaustion from infinite recursion in putsubimage()↗2023-10-10

▶