CVE-2025-43781
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-12-16

Assigner: Liferay Inc.

Description
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 allows remote attackers to inject arbitrary web script or HTML via the URL in search bar portlet
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-43781
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.Q1.1 (inc) to 2024.Q1.13 (exc)
liferay digital_experience_platform From 2024.q2.0 (inc) to 2024.q2.13 (inc)
liferay digital_experience_platform From 2024.Q3.0 (inc) to 2024.Q3.9 (exc)
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.129 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43781 is a reflected cross-site scripting (XSS) vulnerability in the search bar portlet of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML via the URL parameter in the search bar, which can lead to malicious script execution within the context of the affected web application. [1]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of the affected web application, potentially leading to user session hijacking, defacement, or redirection to malicious sites. However, the impact on confidentiality and integrity is low, and no impact on availability is noted. User interaction is required for exploitation. [1]

Detection Guidance

This vulnerability can be detected by testing the search bar portlet URL parameters for reflected cross-site scripting (XSS) payloads. You can manually test by injecting common XSS test scripts into the URL parameter of the search bar and observing if the script is executed or reflected in the response. For example, you can use curl or a browser to send requests with payloads such as <script>alert(1)</script> in the URL parameter and check the response for script execution or reflection. Automated tools like OWASP ZAP or Burp Suite can also be used to scan for reflected XSS vulnerabilities in the search bar portlet URLs. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade affected Liferay Portal and Liferay DXP versions to the fixed versions where the vulnerability is resolved. Specifically, upgrade to Liferay Portal 7.4.3.129 or later, and Liferay DXP 2024.Q1.13, 2024.Q3.9, or 2024.Q4.0 or later. Additionally, as a temporary measure, you can implement web application firewall (WAF) rules to block or sanitize suspicious input in the search bar URL parameters to prevent script injection until the upgrade is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43781. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart