A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet_productTypeName parameter. This malicious payload is then reflected and executed within the user's browser.
Advisories
Source ID Title
EUVD EUVD EUVD-2025-30939 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet_productTypeName parameter. This malicious payload is then reflected and executed within the user's browser.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 25 Sep 2025 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Liferay
Liferay dxp
Liferay portal
Vendors & Products Liferay
Liferay dxp
Liferay portal

Wed, 24 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Sep 2025 01:15:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet_productTypeName parameter. This malicious payload is then reflected and executed within the user's browser.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Liferay

Published:

Updated: 2025-09-24T14:16:07.518Z

Reserved: 2025-04-17T10:55:28.238Z

Link: CVE-2025-43779

cve-icon Vulnrichment

Updated: 2025-09-24T14:13:05.270Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-09-24T01:15:30.753

Modified: 2025-09-24T18:11:24.520

Link: CVE-2025-43779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-09-25T08:21:40Z