CVE-2025-43791

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP version 2023.Q4.0 Liferay Portal versions 7.4 GA through update 92 Liferay Portal versions 7.3 GA through update 36

Description The software contains multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a crafted payload into a “Rich Text” type field. The injection points include web content structures, Documents and Media Document Types, and custom assets utilizing the Data Engine’s module Rich Text field.

Recommendations Liferay Portal versions 7.3.0 through 7.4.3.111: Update to a version later than 7.4.3.111. Liferay DXP versions 2023.Q3.1 through 2023.Q3.4: Update to a version later than 2023.Q3.4. Liferay DXP version 2023.Q4.0: Update to a newer version. Liferay Portal versions 7.4 GA through update 92: Update to a version later than update 92. Liferay Portal versions 7.3 GA through update 36: Update to a version later than update 36.