Home

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter.

PUBLISHED Reserved 2025-04-17 | Published 2025-08-19 | Updated 2025-08-19 | Assigner Liferay




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79: Cross-site Scripting

Product status

Default status
unaffected

7.4.3.132
affected

Default status
unaffected

2025.Q1.0
affected

2025.Q2.0
affected

Credits

NDIx reporter

References

liferay.dev/...-/asset_publisher/jekt/content/CVE-2025-43737

cve.org (CVE-2025-43737)

nvd.nist.gov (CVE-2025-43737)

Download JSON