CVE-2025-43787 — Cross-site Scripting in Digital Experience Platform

CWE-79 — Cross-site Scripting CWE-190 — Integer Overflow or Wraparound5 documents5 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 89.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP Liferay Portal +1 more

Timeline

PublishedSep 12

Description

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious payload is stored and executed without proper sanitization or escaping.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5liferay/portal7.4.0 — 7.4.3.132

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.132

▶NVDliferay/digital_experience_platform2024.q1.1 — 2024.q1.21+6

▶CVEListV5liferay/dxp2024.Q1.1 — 2024.Q1.20+6

🔴Vulnerability Details

GHSA

Liferay Portal's selection modal is vulnerable to XSS↗2025-09-12

▶

CVEList

CVE-2025-43787: A Stored cross-site scripting vulnerability in the Liferay Portal 7↗2025-09-12

▶

OSV

Liferay Portal's selection modal is vulnerable to XSS↗2025-09-12

▶

📋Vendor Advisories

Microsoft

Libx11: integer overflow in xcreateimage() leading to a heap overflow↗2023-10-10

▶