CVE-2025-43817
MEDIUMLiferay DXP 2023.Q3.1-2023.Q3.8 & 7.4.3.74-7.4.3.111 - Reflected XSS via Redirect
Title source: llmDescription
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1) Announcements, or (2) Alerts.
References (1)
Core 1
Core References
Scores
CVSS v3
6.1
EPSS
0.0003
EPSS Percentile
9.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (4)
com.liferay.portal/release.portal.bom
7.4.3.74-ga74 - 7.4.3.112-ga112Maven
liferay/digital_experience_platform
7.4 update74 (19 CPE variants)
liferay/digital_experience_platform
2023.q3.1 - 2023.q3.9
liferay/liferay_portal
7.4.3.74 - 7.4.3.112
Published
Sep 29, 2025
Tracked Since
Feb 18, 2026