CVE-2025-43829: Stored cross-site scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0…

medium4.8CVSS 4.0

AVNACLATNPRLUIAVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

Stored cross-site scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file.

Affected

13 ranges

Vendor	Product	Version range	Fixed in
liferay	digital_experience_platform	—	—
liferay	digital_experience_platform	—	—
liferay	digital_experience_platform	>= 2023.q3.1 < 2023.q3.9	2023.q3.9
liferay	digital_experience_platform	>= 2023.q4.0 < 2023.q4.6	2023.q4.6
liferay	dxp	2023.Q3.1 – 2023.Q3.8	—
liferay	dxp	2023.Q4.0 – 2023.Q4.5	—
liferay	dxp	7.4.13-u18 – 7.4.13-u92	—
liferay	liferay_portal	>= 7.4.3.18 < 7.4.3.112	7.4.3.112
liferay	portal	7.4.3.18 – 7.4.3.111	—
msrc	cbl2_kernel_5.15.167.1-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_kernel_5.15.180.1-1_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—