CVE-2025-43776

Summary

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.0 <= 7.4.3.132affected
LiferayDXP7.4.13 <= 7.4.13-u92affected
LiferayDXP2024.Q1.1 <= 2024.Q1.19affected
LiferayDXP2024.Q2.0 <= 2024.Q2.13affected
LiferayDXP2024.Q3.0 <= 2024.Q3.13affected
LiferayDXP2024.Q4.0 <= 2024.Q4.7affected
LiferayDXP2025.Q1.0 <= 2025.Q1.16affected
LiferayDXP2025.Q2.0 <= 2025.Q2.9affected

Weaknesses

  • CWE-209: CWE-209 Generation of Error Message Containing Sensitive Information

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References