CVE-2025-43783 — Liferay Portal is vulnerable to Reflected XSS attack through get_editor path

Description

A reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path.

How to fix CVE-2025-43783

To remediate CVE-2025-43783, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.frontend.editor.ckeditor.web—upgrade to 5.0.102 or later

Is CVE-2025-43783 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 5.0.76, < 5.0.102

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43783
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/d7f9e94e0ebb63b04ac77d6253fe16dbd914bdf1
WEBliferay.atlassian.net/browse/LPE-18085