CVE-2025-43778
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-12-12

Assigner: Liferay Inc.

Description
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the name of a fieldset in Kaleo Forms Admin. The malicious payload is stored and executed without proper sanitization or escaping.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-43778
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.q1.1 (inc) to 2024.q1.21 (exc)
liferay digital_experience_platform From 2024.q2.0 (inc) to 2024.q2.13 (inc)
liferay digital_experience_platform From 2024.Q3.0 (inc) to 2024.Q3.13 (inc)
liferay digital_experience_platform From 2024.q4.0 (inc) to 2024.q4.7 (inc)
liferay digital_experience_platform From 2025.Q1.0 (inc) to 2025.Q1.17 (exc)
liferay digital_experience_platform From 2025.Q2.0 (inc) to 2025.Q2.12 (exc)
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.132 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43778 is a stored cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP. It occurs because the application does not properly sanitize or escape JavaScript code injected through the name attribute of a fieldset in the Kaleo Forms Admin interface. An authenticated remote attacker can inject malicious JavaScript payloads that are stored and later executed when viewed, potentially compromising user sessions or enabling unauthorized actions. [1]

Impact Analysis

This vulnerability can allow an authenticated attacker to execute malicious JavaScript in the context of the affected application. This can lead to compromised user sessions, unauthorized actions performed on behalf of users, and potential exposure of sensitive information. The impact is considered low to moderate based on the CVSS score, but it still poses a security risk especially in environments where trusted users have high privileges. [1]

Detection Guidance

Detection involves verifying if your Liferay Portal or DXP installation is running a vulnerable version (e.g., Liferay Portal 7.4.0 through 7.4.3.132 or Liferay DXP versions 2024.Q1.1 through 2024.Q4.7). Since the vulnerability is a stored XSS via the name attribute of a fieldset in Kaleo Forms Admin, you can audit the Kaleo Forms for suspicious or unexpected JavaScript code in fieldset names. There are no specific commands provided for detection, but you can check the version using Liferay's administrative interface or command line tools to confirm the installed version. Additionally, monitoring HTTP requests and responses for injected JavaScript payloads in form field names may help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade your Liferay Portal or Liferay DXP to a fixed version. Specifically, upgrade to Liferay Portal on the master branch or Liferay DXP versions 2025.Q1.17 or 2025.Q2.12 or later. Until the upgrade is applied, restrict access to Kaleo Forms Admin to trusted users only, as the vulnerability requires high privileges and authenticated access. Additionally, consider reviewing and sanitizing any existing fieldset names in Kaleo Forms to remove potentially malicious scripts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart