CVE-2025-43791
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-12-16
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2023.q3.1 (inc) to 2023.q3.5 (exc) |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 2023.q4.0 |
| liferay | liferay_portal | to 7.4.3.112 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43791 involves multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP. Attackers can inject malicious web scripts or HTML into 'Rich Text' fields used in web content structures, Documents and Media Document Types, or custom assets that use the Data Engine's Rich Text module. This allows remote attackers to execute arbitrary scripts in the context of the affected application. [1]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary scripts in the context of the affected Liferay Portal or DXP instance. This may lead to unauthorized actions such as stealing user session data, defacing web content, or performing actions on behalf of authenticated users, potentially compromising the integrity and confidentiality of the application data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Liferay Portal or DXP instance is running a vulnerable version and if Rich Text fields are accepting untrusted input that could contain malicious scripts. There are no specific commands provided in the resources to detect exploitation attempts or presence of the vulnerability. Generally, you can check the version of your Liferay installation to see if it falls within the vulnerable versions (7.3.0 through 7.4.3.111 for Portal, and 2023.Q3.1 through 2023.Q3.4, 2023.Q4.0, 7.4 GA through update 92, and 7.3 GA through update 36 for DXP). Additionally, monitoring web requests for suspicious payloads injected into Rich Text fields could help detect exploitation attempts, but no exact commands or tools are specified. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading your Liferay Portal or DXP to a fixed version. The vulnerability is fixed in Liferay Portal 7.4.3.112 and later, and Liferay DXP versions 2023.Q3.5, 2023.Q4.1, and 2024.Q1.1. Until you can upgrade, consider restricting user input in Rich Text fields, applying input validation or sanitization, and limiting user privileges to reduce the risk of exploitation. However, the primary and recommended mitigation is to apply the official patches or upgrade to the fixed versions. [1]