CVE-2025-43771 MEDIUM

CVE-2025-43771

Vendor Liferay
Product Portal
Weakness CWE-79 · XSS
Published October 8, 2025
Last update October 8, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content.

Key dates

02Disclosure timeline

October 8, 2025 CVE published
October 8, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-3237 WP Contact Slider < 2.4.8 - Admin+ Stored Cross-Site Scripting CVE-2022-47591 WordPress Map Multi Marker Plugin <= 3.2.1 is vulnerable to Cross Site Scripting (XSS) CVE-2024-51874 WordPress ParOne Feeds plugin <= 1.17.1 - Cross Site Scripting (XSS) vulnerability CVE-2022-0880 Cross-site Scripting (XSS) - Stored in star7th/showdoc CVE-2023-22707 WordPress Greenshift – animation and page builder blocks Plugin <= 4.9.9 is vulnerable to Cross Site Scripting (XSS)