CVE-2025-43771

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content.

Published: Oct 8, 2025
Updated: Oct 10, 2025
CVE: CVE-2025-43771
GHSA: GHSA-q8fj-76q7-4p7h
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.flags.web	6.0.23	6.0.24

https://github.com/liferay/liferay-portal
https://github.com/liferay/liferay-portal/commit/0f1f6b628d40c9fc59ad6f561f6bdcc1208b5dbb
https://github.com/liferay/liferay-portal/commit/28dc724658e13acb80f30fb3211d0849592ec4ef
https://github.com/liferay/liferay-portal/commit/90b677d7ca74464f2079266588a67fa56aca842d
https://github.com/liferay/liferay-portal/commit/cca5fe50a5b63000c3ca7469b668af9399025e90
https://liferay.atlassian.net/browse/LPE-17917
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43771

Vulnerability Database

CVE-2025-43771

Deep Security Visibility Without the Complexity