CVE-2025-43779

MEDIUM

Liferay Portal 7.4.0-7.4.3.112 & DXP 2024.Q1.1-2024.Q1.18 - Authenticated XSS via productTypeName

Title source: llm
STIX 2.1

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet_productTypeName parameter. This malicious payload is then reflected and executed within the user's browser.

References (1)

Core 1

Scores

CVSS v3 6.1
EPSS 0.0003
EPSS Percentile 9.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
liferay/digital_experience_platform 7.4
liferay/digital_experience_platform 2024.Q1.1 - 2024.Q1.19
liferay/liferay_portal 7.4.0 - 7.4.3.113
Published Sep 24, 2025
Tracked Since Feb 18, 2026