CVE-2025-43800
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-12-16
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2023.q3.1 (inc) to 2023.q3.5 (exc) |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 2023.q4.0 |
| liferay | liferay_portal | From 7.4.3.20 (inc) to 7.4.3.112 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected objects, potentially leading to theft of user data, session hijacking, or other malicious actions performed on behalf of the user. However, the impact is rated as low to moderate with a CVSS score of 4.8, requiring low privileges and user interaction. [1]
Can you explain this vulnerability to me?
CVE-2025-43800 is a cross-site scripting (XSS) vulnerability in the Objects feature of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML by submitting a specially crafted payload into an object that contains a rich text type field. This can lead to malicious scripts running in the context of a user's browser. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update your Liferay Portal or Liferay DXP installation to a fixed version. Specifically, upgrade to Liferay Portal 7.4.3.112 or later, or Liferay DXP 2023.Q3.5, 2023.Q4.1, 2024.Q1.1 or later versions where the issue has been addressed and fixed. [1]