CVE-2025-43783

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path.

Published: Sep 10, 2025
Updated: Dec 20, 2025
CVE: CVE-2025-43783
GHSA: GHSA-jhgr-j9cj-8j62
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.frontend.editor.ckeditor.web	5.0.76	5.0.102
liferay / digital_experience_platform	2024.Q1.1	2024.q1.13
liferay / digital_experience_platform	2024.q2.0	2024.q2.13.x
liferay / digital_experience_platform	2024.Q3.0	2024.q3.2
liferay / digital_experience_platform	7.4-update73	7.4-update73.x
liferay / digital_experience_platform	7.4-update74	7.4-update74.x
liferay / digital_experience_platform	7.4-update75	7.4-update75.x
liferay / digital_experience_platform	7.4-update76	7.4-update76.x
liferay / digital_experience_platform	7.4-update77	7.4-update77.x
liferay / digital_experience_platform	7.4-update78	7.4-update78.x
liferay / digital_experience_platform	7.4-update79	7.4-update79.x
liferay / digital_experience_platform	7.4-update80	7.4-update80.x
liferay / digital_experience_platform	7.4-update81	7.4-update81.x
liferay / digital_experience_platform	7.4-update82	7.4-update82.x
liferay / digital_experience_platform	7.4-update83	7.4-update83.x
liferay / digital_experience_platform	7.4-update84	7.4-update84.x
liferay / digital_experience_platform	7.4-update85	7.4-update85.x
liferay / digital_experience_platform	7.4-update86	7.4-update86.x
liferay / digital_experience_platform	7.4-update87	7.4-update87.x
liferay / digital_experience_platform	7.4-update88	7.4-update88.x
liferay / digital_experience_platform	7.4-update89	7.4-update89.x
liferay / digital_experience_platform	7.4-update90	7.4-update90.x
liferay / digital_experience_platform	7.4-update91	7.4-update91.x
liferay / digital_experience_platform	7.4-update92	7.4-update92.x
liferay / liferay_portal	7.4.0	7.4.3.129

Vulnerability Database

313,495

CVE-2025-43783

Deep Security Visibility Without the Complexity