CVE-2025-43746

Summary

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameter.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.0 <= 7.4.3.132affected
LiferayDXP7.4.13 <= 7.4.13-u92affected
LiferayDXP2024.Q1.1 <= 2024.Q1.18affected
LiferayDXP2024.Q2.0 <= 2024.Q2.13affected
LiferayDXP2024.Q3.0 <= 2024.Q3.13affected
LiferayDXP2024.Q4.0 <= 2024.Q4.7affected
LiferayDXP2025.Q1.0 <= 2025.Q1.14affected
LiferayDXP2025.Q2.0 <= 2025.Q2.2affected

Weaknesses

  • CWE-79: CWE-79: Cross-site Scripting

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References