CVE-2025-43800: Cross-site scripting (XSS) vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and…

medium4.8CVSS 4.0

AVNACLATNPRLUIAVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

Cross-site scripting (XSS) vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an object with a rich text type field.

Affected

13 ranges

Vendor	Product	Version range	Fixed in
liferay	digital_experience_platform	—	—
liferay	digital_experience_platform	—	—
liferay	digital_experience_platform	>= 2023.q3.1 < 2023.q3.5	2023.q3.5
liferay	dxp	—	—
liferay	dxp	2023.Q3.1 – 2023.Q3.4	—
liferay	dxp	7.4.13-u20 – 7.4.13-u92	—
liferay	liferay_portal	>= 7.4.3.20 < 7.4.3.112	7.4.3.112
liferay	portal	7.4.3.20 – 7.4.3.111	—
msrc	azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0	—	—
msrc	cbl2_reaper_3.1.1-13_on_cbl_mariner_2.0	—	—
msrc	cbl2_reaper_3.1.1-18_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—