CVE-2025-43737

MEDIUM

Liferay Portal 7.4.0-7.4.3.131 & DXP 2025.Q1.0-2025.Q1.15 - Authenticated XSS via JournalPortlet backURL

Title source: llm

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43737

Scores

CVSS v3 5.4

EPSS 0.0004

EPSS Percentile 13.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

com.liferay/com.liferay.journal.web 0 - 5.0.196Maven

liferay/digital_experience_platform 2025.Q1.0 - 2025.Q1.16

liferay/liferay_portal 7.4.0 - 7.4.3.132

Published Aug 19, 2025

Tracked Since Feb 18, 2026