CVE-2025-43775
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-12-16

Assigner: Liferay Inc.

Description
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via remote app title field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-43775
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.Q1.1 (inc) to 2024.Q1.13 (exc)
liferay digital_experience_platform From 2024.q2.0 (inc) to 2024.q2.13 (inc)
liferay digital_experience_platform From 2024.Q3.0 (inc) to 2024.Q3.6 (exc)
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.129 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43775 is a stored cross-site scripting (XSS) vulnerability in the remote apps component of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML via the remote app title field. This means that malicious code can be stored and later executed in the context of users viewing the affected application, potentially leading to unauthorized actions or data exposure. [1]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected remote app titles. This can lead to unauthorized actions such as session hijacking, defacement, or theft of sensitive information. However, exploitation requires high privileges and user interaction, and the overall impact on confidentiality and integrity is low. [1]

Detection Guidance

This vulnerability can be detected by testing the remote app title field for stored cross-site scripting (XSS) payloads. Since it involves injection of arbitrary web scripts or HTML via the remote app title field, you can attempt to input typical XSS test scripts into this field and observe if they are executed or stored unsafely. Specific commands are not provided in the resources, but common approaches include using web application security testing tools like OWASP ZAP or Burp Suite to inject scripts into the remote app title field and monitor responses. Manual testing by submitting payloads such as <script>alert(1)</script> in the remote app title field and checking if the script executes upon viewing the app can also help detect the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading to the fixed versions of Liferay Portal or Liferay DXP. The fixed versions are Liferay Portal 7.4.3.129, Liferay DXP 2024.Q1.13, Liferay DXP 2024.Q3.6, and Liferay DXP 2024.Q4.0. Until an upgrade can be performed, restrict access to the remote app title field to trusted users only, and consider applying input validation or sanitization on the remote app title field to prevent injection of malicious scripts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43775. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart