CVE-2025-43734

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2025.Q1.0 through 2025.Q1.10 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q2.1 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.16 Liferay Portal versions 7.4 GA through update 92

Description: A reflected cross-site scripting (XSS) vulnerability allows a remote authenticated attacker to inject JavaScript code into the “first display label” field within the configuration of a custom sort widget. This malicious payload is then reflected and executed by the clay button taglib when the page is refreshed.

Recommendations: Liferay Portal versions 7.4.0 through 7.4.3.132: Update to a newer version. Liferay DXP versions 2025.Q1.0 through 2025.Q1.10: Update to a newer version. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7: Update to a newer version. Liferay DXP versions 2024.Q3.1 through 2024.Q3.13: Update to a newer version. Liferay DXP versions 2024.Q2.1 through 2024.Q2.13: Update to a newer version. Liferay DXP versions 2024.Q1.1 through 2024.Q1.16: Update to a newer version. Liferay Portal versions 7.4 GA through update 92: Update to a newer version.