CVE-2025-43817: Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6…

medium4.8CVSS 4.0

AVNACLATNPRLUIAVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1) Announcements, or (2) Alerts.

Affected

12 ranges

Vendor	Product	Version range	Fixed in
liferay	digital_experience_platform	—	—
liferay	digital_experience_platform	>= 2023.Q4.0 < 2023.Q4.7	2023.Q4.7
liferay	digital_experience_platform	>= 2023.q3.1 < 2023.q3.9	2023.q3.9
liferay	dxp	2023.Q3.1 – 2023.Q3.8	—
liferay	dxp	2023.Q4.0 – 2023.Q4.6	—
liferay	dxp	7.4.13-u74 – 7.4.13-u92	—
liferay	liferay_portal	>= 7.4.3.74 < 7.4.3.112	7.4.3.112
liferay	portal	7.4.3.74 – 7.4.3.111	—
msrc	cbl2_kernel_5.15.164.1-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_kernel_5.15.167.1-1_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—