Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-43771

Good to know:

icon
icon

Date: October 8, 2025

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content.

Severity Score

Related Resources (9)

https://github.com/liferay/liferay-portal/commit/cca5fe50a5b63000c3ca7469b668af9399025e90
https://github.com/liferay/liferay-portal
https://github.com/liferay/liferay-portal/commit/90b677d7ca74464f2079266588a67fa56aca842d
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43771
https://liferay.atlassian.net/browse/LPE-17917
https://github.com/liferay/liferay-portal/commit/28dc724658e13acb80f30fb3211d0849592ec4ef
https://nvd.nist.gov/vuln/detail/CVE-2025-43771
https://github.com/liferay/liferay-portal/commit/0f1f6b628d40c9fc59ad6f561f6bdcc1208b5dbb
https://www.mend.io/vulnerability-database/CVE-2025-43771

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version com.liferay:com.liferay.flags.web:6.0.24

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us