Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-43753

Good to know:

icon

Date: August 21, 2025

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container.

Severity Score

Related Resources (10)

http://github.com/liferay/liferay-portal/commit/d835c7331e38e048972ab4b8cf3106fc6767015f
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43753
https://github.com/liferay/liferay-portal
https://github.com/liferay/liferay-portal/commit/a2cf59ffd649bc0d9c1125f2b5a925669b68a546
https://github.com/liferay/liferay-portal/commit/0b6a777f9d11668ebd8c9c53befeacd019b6719b
https://nvd.nist.gov/vuln/detail/CVE-2025-43753
https://github.com/liferay/liferay-portal/commit/6ebe926008776c3f741f989a884ad07f02a79d9f
https://github.com/liferay/liferay-portal/commit/0a82d906b3489330d4e8552abe1b19ec2605323e
https://liferay.atlassian.net/browse/LPE-18216
https://www.mend.io/vulnerability-database/CVE-2025-43753

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version com.liferay:com.liferay.layout.taglib:16.1.32

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): HIGH
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us