CVE-2025-43812
Liferay Portal vulnerable to cross-site scripting in the web content template
EPSS 0.03%
Description
Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a web content structure's Name text field
How to fix CVE-2025-43812
To remediate CVE-2025-43812, upgrade the affected package to a fixed version below.
- Maven/com.liferay:com.liferay.journal.web—upgrade to 5.0.161 or later
- —upgrade to 7.4.3.112-ga112 or later
Is CVE-2025-43812 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 5.0.34, < 5.0.161
- >= 7.4.3.4-ga4, < 7.4.3.112-ga112
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |