CVE-2025-43735 PUBLISHED

Assigner: Liferay
Reserved: 17.04.2025 Published: 12.08.2025 Updated: 12.08.2025

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	Low	Integrity	Low	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Liferay
Product	Portal
Versions	Default: unaffected affected from 7.4.0 to 7.4.3.131 (incl.)

Vendor	Liferay
Product	DXP
Versions	Default: unaffected affected from 7.4.13 to 7.4.13-u92 (incl.) affected from 2024.Q1.1 to 2024.Q1.12 (incl.) affected from 2024.Q2.0 to 2024.Q2.13 (incl.) affected from 2024.Q3.1 to 2024.Q3.13 (incl.) affected from 2024.Q4.0 to 2024.Q4.7 (incl.)

Credits

Shailesh Suthar (@shailesh4594) reporter

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43735

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE