CVE-2025-43757

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter.

Published: Aug 20, 2025
Updated: Aug 22, 2025
CVE: CVE-2025-43757
GHSA: GHSA-62pf-hcwj-rcfc
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay.portal / release.portal.bom	7.4.0-ga1	7.4.3.132-ga132.x

https://github.com/liferay/liferay-portal/commit/0114bb60238e5ac74b90fba37fa9748c4e6c114a
https://github.com/liferay/liferay-portal/commit/0837982b91c5f9e837ec11a93f7e0986e00738fa
https://github.com/liferay/liferay-portal/commit/45492d30bad4084f36e87ef11c29a5bf5fb4046d
https://github.com/liferay/liferay-portal/commit/90396a201d05be5840f99f7487578aab253dfa87
https://github.com/liferay/liferay-portal/commit/9e0026c8aa444937a2bfd079bcca35ab3dd18f5a
https://github.com/liferay/liferay-portal/commit/cc46176ba4142f470d540f2343b36f12a678a240
https://github.com/liferay/liferay-portal/commit/d001c5ba8a1477755d7d83b8a00aba23036b045b
https://github.com/liferay/liferay-portal/commit/e83d102bf00af3aa4396c1fc5a1d6b3842ccaeb1
https://liferay.atlassian.net/browse/LPE-18259
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43757

Vulnerability Database

CVE-2025-43757