CVE-2025-43742

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript in web content for friendly urls.

Published: Aug 20, 2025
Updated: Aug 21, 2025
CVE: CVE-2025-43742
GHSA: GHSA-3fp2-6mwq-4q3j
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.layout.type.controller.display.page	-	3.0.59

https://github.com/liferay/liferay-portal/commit/9bd2ae22416d20f5e8ce2800ea96993c7df98f95
https://github.com/liferay/liferay-portal/commit/f2621572ca5abfe46bad0dca2fa4836deeefa000
https://liferay.atlassian.net/browse/LPE-18192
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43742

Vulnerability Database

CVE-2025-43742