CVE-2025-43775
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-12-16
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2024.Q1.1 (inc) to 2024.Q1.13 (exc) |
| liferay | digital_experience_platform | From 2024.q2.0 (inc) to 2024.q2.13 (inc) |
| liferay | digital_experience_platform | From 2024.Q3.0 (inc) to 2024.Q3.6 (exc) |
| liferay | digital_experience_platform | 7.4 |
| liferay | liferay_portal | From 7.4.0 (inc) to 7.4.3.129 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43775 is a stored cross-site scripting (XSS) vulnerability in the remote apps component of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML via the remote app title field. This means that malicious code can be stored and later executed in the context of users viewing the affected application, potentially leading to unauthorized actions or data exposure. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected remote app titles. This can lead to unauthorized actions such as session hijacking, defacement, or theft of sensitive information. However, exploitation requires high privileges and user interaction, and the overall impact on confidentiality and integrity is low. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the remote app title field for stored cross-site scripting (XSS) payloads. Since it involves injection of arbitrary web scripts or HTML via the remote app title field, you can attempt to input typical XSS test scripts into this field and observe if they are executed or stored unsafely. Specific commands are not provided in the resources, but common approaches include using web application security testing tools like OWASP ZAP or Burp Suite to inject scripts into the remote app title field and monitor responses. Manual testing by submitting payloads such as <script>alert(1)</script> in the remote app title field and checking if the script executes upon viewing the app can also help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading to the fixed versions of Liferay Portal or Liferay DXP. The fixed versions are Liferay Portal 7.4.3.129, Liferay DXP 2024.Q1.13, Liferay DXP 2024.Q3.6, and Liferay DXP 2024.Q4.0. Until an upgrade can be performed, restrict access to the remote app title field to trusted users only, and consider applying input validation or sanitization on the remote app title field to prevent injection of malicious scripts. [1]