A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the referer or FORWARD_URL using %00 in those parameters.
History

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Liferay
Liferay dxp
Liferay portal
Vendors & Products Liferay
Liferay dxp
Liferay portal

Sat, 23 Aug 2025 01:45:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the referer or FORWARD_URL using %00 in those parameters.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Liferay

Published:

Updated: 2025-08-25T17:59:50.941Z

Reserved: 2025-04-17T10:55:26.804Z

Link: CVE-2025-43770

cve-icon Vulnrichment

Updated: 2025-08-25T17:59:41.586Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-23T02:15:28.637

Modified: 2025-08-25T20:24:45.327

Link: CVE-2025-43770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-23T10:54:58Z