Home > Vulnerability Database > CVE-2025-43738

Mend.io Vulnerability Database

CVE-2025-43738

Date: August 19, 2025

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter.

Severity Score

5.4

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-43738

Url: https://github.com/liferay/liferay-portal

Url: https://github.com/liferay/liferay-portal/commit/acc477143b50de2138854548bc5bad06677e708a

Url: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43738

Url: https://liferay.atlassian.net/browse/LPE-18290

Url: https://www.mend.io/vulnerability-database/CVE-2025-43738

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-43738

Date: August 19, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?