CVE-2025-43791
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-12-16

Assigner: Liferay Inc.

Description
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a "Rich Text" type field to (1) a web content structure, (2) a Documents and Media Document Type , or (3) custom assets that uses the Data Engine's module Rich Text field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-14
NVD
CVE-2025-43791
EUVD
EUVD-2025-29222
Affected Vendors & Products
Showing 138 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2023.q3.1 (inc) to 2023.q3.5 (exc)
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 2023.q4.0
liferay liferay_portal to 7.4.3.112 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43791 involves multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP. Attackers can inject malicious web scripts or HTML into 'Rich Text' fields used in web content structures, Documents and Media Document Types, or custom assets that use the Data Engine's Rich Text module. This allows remote attackers to execute arbitrary scripts in the context of the affected application. [1]

Impact Analysis

This vulnerability can allow remote attackers to execute arbitrary scripts in the context of the affected Liferay Portal or DXP instance. This may lead to unauthorized actions such as stealing user session data, defacing web content, or performing actions on behalf of authenticated users, potentially compromising the integrity and confidentiality of the application data. [1]

Detection Guidance

Detection of this vulnerability involves identifying if your Liferay Portal or DXP instance is running a vulnerable version and if Rich Text fields are accepting untrusted input that could contain malicious scripts. There are no specific commands provided in the resources to detect exploitation attempts or presence of the vulnerability. Generally, you can check the version of your Liferay installation to see if it falls within the vulnerable versions (7.3.0 through 7.4.3.111 for Portal, and 2023.Q3.1 through 2023.Q3.4, 2023.Q4.0, 7.4 GA through update 92, and 7.3 GA through update 36 for DXP). Additionally, monitoring web requests for suspicious payloads injected into Rich Text fields could help detect exploitation attempts, but no exact commands or tools are specified. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading your Liferay Portal or DXP to a fixed version. The vulnerability is fixed in Liferay Portal 7.4.3.112 and later, and Liferay DXP versions 2023.Q3.5, 2023.Q4.1, and 2024.Q1.1. Until you can upgrade, consider restricting user input in Rich Text fields, applying input validation or sanitization, and limiting user privileges to reduce the risk of exploitation. However, the primary and recommended mitigation is to apply the official patches or upgrade to the fixed versions. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43791. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart