CVE-2025-43823 PUBLISHED

Assigner: Liferay
Reserved: 17.04.2025 Published: 07.10.2025 Updated: 07.10.2025

Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 4.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Liferay
Product	Portal
Versions	Default: unaffected affected from 7.4.0 to 7.4.3.111 (incl.)

Vendor	Liferay
Product	DXP
Versions	Default: unaffected affected from 7.4.13 to 7.4.13-u92 (incl.) affected from 2023.Q3.1 to 2023.Q3.8 (incl.) affected from 2023.Q4.0 to 2023.Q4.5 (incl.)

Credits

foobar7 reporter

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43823

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE