CVE-2025-43771

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.102 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5

Description The Notifications widget contains multiple cross-site scripting (XSS) issues. These allow remote attackers to inject arbitrary web script or HTML through crafted payloads. The injection points include the First Name text field, the Middle Name text field, the Last Name text field, the “Other Reason” text field when flagging content, and the name of the flagged content. Successful exploitation could allow an attacker to execute malicious scripts in the context of a user's browser.

Recommendations Update Liferay Portal to a version later than 7.4.3.111. Update Liferay DXP to a version later than 2023.Q3.10 and 2023.Q4.5.