CVE-2025-43740 MEDIUM

CVE-2025-43740

Vendor Liferay
Product Portal
Weakness CWE-79 · XSS
Published August 19, 2025
Last update August 19, 2025
View on NVD All CVEs

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface.

Key dates

02Disclosure timeline

August 19, 2025 CVE published
August 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-11777 Sell Media <= 2.5.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2019-12703 Cisco SPA122 ATA with Router Devices DHCP Services Cross-Site Scripting Vulnerability CVE-2023-3535 SimplePHPscripts FAQ Script PHP URL Parameter preview.php cross site scripting CVE-2026-1570 Simple Bible Verse via Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2015-10059 s134328 Webapplication-Veganguide apiService.js cross site scripting