CVE-2025-43802: Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1…

medium4.8CVSS 4.0

AVNACLATNPRLUIAVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/ API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web script or HTML via the externalReferenceCode parameter.

Affected

17 ranges

Vendor	Product	Version range	Fixed in
liferay	digital_experience_platform	—	—
liferay	digital_experience_platform	—	—
liferay	digital_experience_platform	>= 2023.q3.1 < 2023.q3.5	2023.q3.5
liferay	dxp	—	—
liferay	dxp	2023.Q3.1 – 2023.Q3.4	—
liferay	dxp	7.3.10-u33 – 7.3.10-u35	—
liferay	dxp	7.4.13-u51 – 7.4.13-u92	—
liferay	liferay_portal	>= 7.4.3.51 < 7.4.3.110	7.4.3.110
liferay	portal	7.4.3.51 – 7.4.3.111	—
msrc	azl3_vim_9.1.0697-1_on_azure_linux_3.0	—	—
msrc	azl3_vim_9.1.0791-4_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_vim_9.1.0697-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_vim_9.1.0791-4_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—