CVE-2025-43822 PUBLISHED

Assigner: Liferay
Reserved: 17.04.2025 Published: 07.10.2025 Updated: 07.10.2025

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 4.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Liferay
Product	Portal
Versions	Default: unaffected affected from 7.4.0 to 7.4.3.111 (incl.)

Vendor	Liferay
Product	DXP
Versions	Default: unaffected affected from 7.4.13 to 7.4.13-u92 (incl.) affected from 2023.Q3.1 to 2023.Q3.8 (incl.) affected from 2023.Q4.0 to 2023.Q4.5 (incl.)

Credits

foobar7 reporter

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43822

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE