CVE-2025-43778
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-12-12
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2024.q1.1 (inc) to 2024.q1.21 (exc) |
| liferay | digital_experience_platform | From 2024.q2.0 (inc) to 2024.q2.13 (inc) |
| liferay | digital_experience_platform | From 2024.Q3.0 (inc) to 2024.Q3.13 (inc) |
| liferay | digital_experience_platform | From 2024.q4.0 (inc) to 2024.q4.7 (inc) |
| liferay | digital_experience_platform | From 2025.Q1.0 (inc) to 2025.Q1.17 (exc) |
| liferay | digital_experience_platform | From 2025.Q2.0 (inc) to 2025.Q2.12 (exc) |
| liferay | liferay_portal | From 7.4.0 (inc) to 7.4.3.132 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43778 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP. It occurs because the application does not properly sanitize or escape JavaScript code injected through the name attribute of a fieldset in the Kaleo Forms Admin interface. An authenticated remote attacker can inject malicious JavaScript payloads that are stored and later executed when viewed, potentially compromising user sessions or enabling unauthorized actions. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute malicious JavaScript in the context of the affected application. This can lead to compromised user sessions, unauthorized actions performed on behalf of users, and potential exposure of sensitive information. The impact is considered low to moderate based on the CVSS score, but it still poses a security risk especially in environments where trusted users have high privileges. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your Liferay Portal or DXP installation is running a vulnerable version (e.g., Liferay Portal 7.4.0 through 7.4.3.132 or Liferay DXP versions 2024.Q1.1 through 2024.Q4.7). Since the vulnerability is a stored XSS via the name attribute of a fieldset in Kaleo Forms Admin, you can audit the Kaleo Forms for suspicious or unexpected JavaScript code in fieldset names. There are no specific commands provided for detection, but you can check the version using Liferay's administrative interface or command line tools to confirm the installed version. Additionally, monitoring HTTP requests and responses for injected JavaScript payloads in form field names may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your Liferay Portal or Liferay DXP to a fixed version. Specifically, upgrade to Liferay Portal on the master branch or Liferay DXP versions 2025.Q1.17 or 2025.Q2.12 or later. Until the upgrade is applied, restrict access to Kaleo Forms Admin to trusted users only, as the vulnerability requires high privileges and authenticated access. Additionally, consider reviewing and sanitizing any existing fieldset names in Kaleo Forms to remove potentially malicious scripts. [1]