CVE-2025-43794

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP version 2023.Q4.0 Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4 GA through update 92

Description A stored cross-site scripting (XSS) vulnerability exists that allows remote authenticated attackers with the instance administrator role to inject arbitrary web script or HTML into all pages. The vulnerability is triggered by a crafted payload injected into the Instance Configuration's (1) CDN Host HTTP text field or (2) CDN Host HTTPS text field.

Recommendations Liferay Portal versions 7.4.0 through 7.4.3.111: Update to a version later than 7.4.3.111. Liferay DXP versions 2023.Q3.1 through 2023.Q3.4: Update to a version later than 2023.Q3.4. Liferay DXP version 2023.Q4.0: Update to a newer version. Liferay Portal versions 7.3 GA through update 35: Update to a version later than update 35. Liferay Portal versions 7.4 GA through update 92: Update to a version later than update 92.