CVE-2025-43783

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path.

Published: Sep 10, 2025
Updated: Sep 13, 2025
CVE: CVE-2025-43783
GHSA: GHSA-jhgr-j9cj-8j62
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.frontend.editor.ckeditor.web	5.0.76	5.0.102

https://github.com/liferay/liferay-portal/commit/d7f9e94e0ebb63b04ac77d6253fe16dbd914bdf1
https://liferay.atlassian.net/browse/LPE-18085
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43783

Vulnerability Database

CVE-2025-43783

Deep Security Visibility Without the Complexity