CVE-2025-43774 - Vulnerability Details

This CVE ID is rejected. The reported vulnerability was found to be present only in a feature that was under development and protected by a beta feature flag. As a result, the issue was not exploitable in the official or public releases within the specified affected ranges, making this a false positive for officially released versions.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Liferay	Dxp Portal

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Liferay	Dxp Portal

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

No reference.

History

Thu, 18 Sep 2025 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-79
References	https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43774
Metrics	cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Thu, 18 Sep 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 18 Sep 2025 17:00:00 +0000

Type	Values Removed	Values Added
Description	A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.	This CVE ID is rejected. The reported vulnerability was found to be present only in a feature that was under development and protected by a beta feature flag. As a result, the issue was not exploitable in the official or public releases within the specified affected ranges, making this a false positive for officially released versions.
Metrics	cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`	cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Tue, 09 Sep 2025 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Liferay Liferay dxp Liferay portal
Vendors & Products		Liferay Liferay dxp Liferay portal

Tue, 09 Sep 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Sep 2025 00:45:00 +0000

Type	Values Removed	Values Added
Description		A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.
Weaknesses		CWE-79
References		https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43774
Metrics		cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: REJECTED

Assigner: Liferay

Published: 2025-09-09T00:26:08.205Z

Updated: 2025-09-18T16:46:08.850Z

Reserved: 2025-04-17T10:55:28.237Z

Link: CVE-2025-43774

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-09-09T01:15:31.967

Modified: 2025-09-18T17:15:38.660

Link: CVE-2025-43774

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-09-09T21:31:46Z

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object