CVE-2025-43753

MEDIUM

Liferay Portal 7.4.3.32-7.4.3.132 & DXP 2025.Q1.0-2025.Q1.7 Authenticated XSS in Embedded Message Field

Title source: llm

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43753

Scores

CVSS v3 5.4

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

com.liferay/com.liferay.layout.taglib 0 - 16.1.32Maven

liferay/digital_experience_platform 7.4 update32 (49 CPE variants)

Published Aug 21, 2025

Tracked Since Feb 18, 2026