A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the text field from a web content.
History

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Liferay
Liferay dxp
Liferay portal
Vendors & Products Liferay
Liferay dxp
Liferay portal

Sat, 23 Aug 2025 04:45:00 +0000

Type Values Removed Values Added
Description A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the text field from a web content.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Liferay

Published:

Updated: 2025-08-25T18:44:58.753Z

Reserved: 2025-04-17T10:55:26.804Z

Link: CVE-2025-43765

cve-icon Vulnrichment

Updated: 2025-08-25T18:44:54.238Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-23T05:15:31.873

Modified: 2025-08-25T20:24:45.327

Link: CVE-2025-43765

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-23T10:54:55Z