CVE-2025-43779

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.112 Liferay DXP versions 2024.Q1.1 through 2024.Q1.18 Liferay DXP versions 7.4 GA through update 92

Description A reflected cross-site scripting (XSS) issue exists that allows a remote authenticated attacker to inject JavaScript code. The injection occurs via the com liferay commerce product definitions web internal portlet CPDefinitionsPortlet productTypeName parameter. This malicious code is then reflected and executed in the user's browser.

Recommendations Update Liferay Portal to a version later than 7.4.3.112. Update Liferay DXP to a version later than 2024.Q1.18. Update Liferay DXP to a version later than update 92.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2025-43779

Affected Products

Liferay Dxp

Liferay Portal

CVE-2025-43779

Weakness Enumeration

Related Identifiers

Affected Products

References · 7