CVE-2025-43733

MEDIUM

Liferay Portal 7.4.3.132 & DXP 2025.Q1.0-2025.Q1.7 - Authenticated XSS via Content Page Name

Title source: llm

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7 allows a remote authenticated attacker to inject JavaScript code via the content page's name field. This malicious payload is then reflected and executed within the user's browser when viewing the "document View Usages" page.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43733

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 9.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

com.liferay/com.liferay.layout.taglib 0 - 17.0.0Maven

liferay/digital_experience_platform 2025.Q1.0 - 2025.Q1.8

liferay/liferay_portal 7.4.3.132

Published Aug 18, 2025

Tracked Since Feb 18, 2026