CVE-2025-43776
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-12-16

Assigner: Liferay Inc.

Description
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-43776
Affected Vendors & Products
Showing 100 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.q1.1 (inc) to 2024.q1.20 (exc)
liferay digital_experience_platform From 2024.q2.0 (inc) to 2024.q2.13 (inc)
liferay digital_experience_platform From 2024.Q3.0 (inc) to 2024.Q3.13 (inc)
liferay digital_experience_platform From 2024.q4.0 (inc) to 2024.q4.7 (inc)
liferay digital_experience_platform From 2025.Q1.0 (inc) to 2025.Q1.17 (exc)
liferay digital_experience_platform From 2025.Q2.0 (inc) to 2025.Q2.10 (exc)
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.132 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43776 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP. It occurs because the Process Builder's Configuration tab does not properly escape JavaScript code injected through the Custom Object field label. This allows a remote authenticated attacker with high privileges to inject malicious JavaScript payloads that are stored and later executed within the Process Builder interface without proper sanitization. [1]

Impact Analysis

This vulnerability can allow a remote authenticated attacker with high privileges to execute malicious JavaScript code within the Process Builder interface. This could lead to low impact on confidentiality and integrity, such as unauthorized script execution or manipulation of the interface, but it requires user interaction and high privileges. The overall impact is considered low to moderate based on the CVSS score of 4.6. [1]

Detection Guidance

Detection of this vulnerability involves checking for the presence of malicious JavaScript payloads injected via the Custom Object field label in the Process Builder's Configuration tab of affected Liferay Portal or DXP versions. Since it is a stored XSS vulnerability requiring authenticated access with high privileges, manual inspection of Custom Object field labels and Process Builder configurations for suspicious scripts is recommended. Automated scanning tools or custom scripts that query the Process Builder configurations for unexpected JavaScript code may help. Specific commands are not provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading affected Liferay Portal or DXP instances to fixed versions: Liferay Portal on the master branch, Liferay DXP 2024.Q1.20 or later, Liferay DXP 2025.Q1.17 or later, and Liferay DXP 2025.Q2.10 or later. Until upgrades can be applied, restrict high-privilege authenticated user access to the Process Builder's Configuration tab to trusted personnel only, and monitor for suspicious activity involving Custom Object field labels. Avoid allowing untrusted users to create or modify Custom Object fields. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart