CVE-2025-43740
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-19

Last updated on: 2025-12-19

Assigner: Liferay Inc.

Description
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-19
Last Modified
2025-12-19
Generated
2026-05-07
AI Q&A
2025-08-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-43740
EUVD
EUVD-2025-25174
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.Q1.9 (inc) to 2024.Q1.20 (exc)
liferay digital_experience_platform From 2024.Q2.1 (inc) to 2024.Q2.13 (inc)
liferay digital_experience_platform From 2024.q3.1 (inc) to 2024.q3.13 (inc)
liferay digital_experience_platform From 2024.q4.0 (inc) to 2024.q4.7 (inc)
liferay digital_experience_platform From 2025.Q1.0 (inc) to 2025.Q1.16 (exc)
liferay digital_experience_platform From 2025.Q2.0 (inc) to 2025.Q2.9 (exc)
liferay liferay_portal From 7.4.3.120 (inc) to 7.4.3.132 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-43740 is a stored cross-site scripting (XSS) vulnerability in the message boards feature of Liferay Portal and Liferay DXP. It allows a remote authenticated attacker to inject malicious JavaScript code via the web interface's message boards. This injected code can then be executed in the context of other users who view the message boards, potentially leading to session compromise or unauthorized actions. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker with authenticated access to inject malicious scripts into message boards. These scripts can execute in the browsers of other users who view the message boards, potentially compromising user sessions or enabling unauthorized actions within the affected system. The impact includes risks to user confidentiality and integrity, although the overall severity is moderate (CVSS score 4.6). [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by reviewing the message boards feature in affected Liferay Portal and DXP versions for injected JavaScript code. Since it requires authenticated access, detection involves logging into the system and inspecting message board posts for suspicious scripts. There are no specific commands provided in the resources for detection. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading affected Liferay Portal and DXP instances to fixed versions: Liferay Portal master branch, and Liferay DXP versions 2025.Q2.9 or later, and 2025.Q1.16 or later. Additionally, restrict authenticated user permissions on message boards to limit potential exploitation until the update is applied. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart