CVE-2025-43779

Summary

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet_productTypeName parameter. This malicious payload is then reflected and executed within the user's browser.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.0 <= 7.4.3.112affected
LiferayDXP7.4.13 <= 7.4.13-u92affected
LiferayDXP2024.Q1.1 <= 2024.Q1.18affected

Weaknesses

  • CWE-79: CWE-79: Cross-site Scripting

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References