CVE-2025-43817

Summary

Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the redirect parameter to (1) Announcements, or (2) Alerts.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.3.74 <= 7.4.3.111affected
LiferayDXP7.4.13-u74 <= 7.4.13-u92affected
LiferayDXP2023.Q3.1 <= 2023.Q3.8affected
LiferayDXP2023.Q4.0 <= 2023.Q4.6affected

Weaknesses

  • CWE-79: CWE-79: Cross-site Scripting

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References