A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.
History

Tue, 09 Sep 2025 00:45:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Liferay

Published:

Updated: 2025-09-09T00:26:08.205Z

Reserved: 2025-04-17T10:55:28.237Z

Link: CVE-2025-43774

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2025-09-09T01:15:31.967

Modified: 2025-09-09T01:15:31.967

Link: CVE-2025-43774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.