PT-2025-41194 · Liferay · Liferay Portal+1
Foobar7
·
Published
2025-10-07
·
Updated
2025-10-09
·
CVE-2025-43823
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.4.0 through 7.4.3.111
Liferay DXP 2023.Q4 versions prior to patch 6
Liferay DXP 2023.Q3 versions prior to patch 9
Liferay Portal versions 7.4 GA through update 92
Description
A cross-site scripting (XSS) issue exists in the Commerce Search Result widget. This allows remote attackers to inject arbitrary web script or HTML through a crafted payload. The payload is injected into the Commerce Product's Name text field.
Recommendations
Update Liferay Portal to a version after 7.4.3.111.
Apply patch 6 to Liferay DXP 2023.Q4.
Apply patch 9 to Liferay DXP 2023.Q3.
Update Liferay Portal to a version after update 92.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal