CVE-2025-43733
BaseFortify
Publication date: 2025-08-18
Last updated on: 2025-12-16
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2025.Q1.0 (inc) to 2025.Q1.8 (exc) |
| liferay | liferay_portal | 7.4.3.132 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43733 is a reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP. A remote authenticated attacker can inject malicious JavaScript code via the content page's name field. This injected script is then reflected and executed in the user's browser when they visit the "document View Usages" page, potentially allowing the attacker to run arbitrary scripts in the context of the affected site. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious JavaScript in the context of a user's browser session when they view the affected page. This could lead to actions such as session hijacking, defacement, or other malicious activities that rely on executing scripts in the victim's browser. However, the CVSS score is 2.3, indicating a low to medium impact, with high attack complexity and requiring user interaction and authentication. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if your Liferay Portal or Liferay DXP instance is running a vulnerable version (Liferay Portal 7.4.3.132 or Liferay DXP 2025.Q1.0 through 2025.Q1.7). Since the vulnerability is a reflected XSS via the content page's name field, you can test by attempting to inject benign JavaScript payloads into the content page's name field and then accessing the "document View Usages" page to see if the script executes. There are no specific commands provided for automated detection in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading your Liferay Portal or Liferay DXP to a fixed version: Liferay Portal on the master branch, or Liferay DXP versions 2025.Q2.0, 2025.Q1.8, or 2024.Q1.17. Until an upgrade is possible, restrict access to the affected pages to trusted users only, and avoid using the content page's name field for untrusted input. Additionally, applying input validation or sanitization on the content page's name field may help reduce risk. [1]