CVE-2025-43753

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container.

Published: Aug 22, 2025
Updated: Aug 23, 2025
CVE: CVE-2025-43753
GHSA: GHSA-r367-q549-pgr5
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.layout.taglib	-	16.1.32

http://github.com/liferay/liferay-portal/commit/d835c7331e38e048972ab4b8cf3106fc6767015f
https://github.com/liferay/liferay-portal/commit/0a82d906b3489330d4e8552abe1b19ec2605323e
https://github.com/liferay/liferay-portal/commit/0b6a777f9d11668ebd8c9c53befeacd019b6719b
https://github.com/liferay/liferay-portal/commit/6ebe926008776c3f741f989a884ad07f02a79d9f
https://github.com/liferay/liferay-portal/commit/a2cf59ffd649bc0d9c1125f2b5a925669b68a546
https://liferay.atlassian.net/browse/LPE-18216
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43753

Vulnerability Database

CVE-2025-43753