CVE-2025-43804 — Cross-site Scripting in Portal

CWE-79 — Cross-site Scripting CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 90.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedSep 16

Latest updateSep 17

Description

Cross-site scripting (XSS) vulnerability in Search widget in Liferay Portal 7.4.3.93 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_search_web_portlet_SearchPortlet_userId parameter.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.3.93 — 7.4.3.112

▶CVEListV5liferay/portal7.4.3.93 — 7.4.3.111

▶CVEListV5liferay/dxp2023.Q3.1 — 2023.Q3.4+1

▶NVDliferay/digital_experience_platform7 versions+6

🔴Vulnerability Details

OSV

Liferay search widget vulnerable to Cross-site Scripting↗2025-09-17

▶

GHSA

Liferay search widget vulnerable to Cross-site Scripting↗2025-09-17

▶

CVEList

CVE-2025-43804: Cross-site scripting (XSS) vulnerability in Search widget in Liferay Portal 7↗2025-09-16

▶

📋Vendor Advisories

Microsoft

`Cookie` HTTP header isn't stripped on cross-origin redirects↗2023-10-10

▶