CVE-2025-43826
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-12-15
Assigner: Liferay Inc.
Description
Description
Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allow remote attackers to inject arbitrary web script or HTML via any rich text field in a web content article.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | to 7.4 (inc) |
| liferay | digital_experience_platform | From 2023.Q3.1 (inc) to 2023.Q3.10 (inc) |
| liferay | digital_experience_platform | From 2023.Q4.0 (inc) to 2023.Q4.9 (exc) |
| liferay | digital_experience_platform | From 2024.Q1.1 (inc) to 2024.Q1.3 (exc) |
| liferay | liferay_portal | From 7.2.0 (inc) to 7.4.3.113 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
