Home > Vulnerability Database > CVE-2025-43740

Mend.io Vulnerability Database

CVE-2025-43740

Date: August 19, 2025

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface.

Severity Score

4.8

Related Resources (8)

Url: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43740

Url: https://github.com/liferay/liferay-portal

Url: https://liferay.atlassian.net/browse/LPE-18276

Url: https://github.com/liferay/liferay-portal/commit/32821b41f7f62271d1fb9d56c82297cd087780a4

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-43740

Url: https://github.com/liferay/liferay-portal/commit/51e21fa8b3e8b49ed455caeab192c5bba7e15b6d

Url: https://github.com/liferay/liferay-portal/commit/c1b7c6b58f5042072c381fc2664e808ebb745826

Url: https://www.mend.io/vulnerability-database/CVE-2025-43740

Severity Score

4.8

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-43740

Date: August 19, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?