CVE-2025-43755

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript into the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter.

Published: Aug 21, 2025
Updated: Aug 23, 2025
CVE: CVE-2025-43755
GHSA: GHSA-58cq-8wm2-6m87
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.layout.admin.web	-	5.0.191

https://github.com/liferay/liferay-portal/commit/5db1ab018d71689fc1eaebcbd27c202e9c2b44d9
https://github.com/liferay/liferay-portal/commit/f91c374d28c478db38006f5c2d1802c2ab55d034
https://liferay.atlassian.net/browse/LPE-18238
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43755

Vulnerability Database

CVE-2025-43755