CVE-2025-43800 MEDIUM

CVE-2025-43800

Vendor Liferay
Product Portal
Weakness CWE-79 · XSS
Published September 15, 2025
Last update September 16, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Cross-site scripting (XSS) vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an object with a rich text type field.

Key dates

02Disclosure timeline

September 15, 2025 CVE published
September 16, 2025 Record updated

Related vulnerabilities

04Related CVE