CVE-2025-43734
Description
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.0, <= 7.4.3.132 | — |
com.liferay.portal:release.dxp.bomMaven | >= 2024.q4.0, <= 2024.q4.7 | — |
com.liferay.portal:release.dxp.bomMaven | >= 2024.q3.0, <= 2024.q3.13 | — |
com.liferay.portal:release.dxp.bomMaven | >= 2024.q2.0, <= 2024.q2.13 | — |
com.liferay.portal:release.dxp.bomMaven | >= 2024.q1.0, < 2024.q1.17 | 2024.q1.17 |
com.liferay.portal:release.dxp.bomMaven | >= 2025.q1.0, < 2025.q1.11 | 2025.q1.11 |
com.liferay.portal:release.dxp.bomMaven | <= 7.4.13.u92 | — |
com.liferay:com.liferay.frontend.taglib.clayMaven | < 15.2.2 | 15.2.2 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
1b4ca1bb0961cLPD-54139 frontend-taglib-clay: Format the label in clay button taglib
1 file changed · +5 −2
modules/apps/frontend-taglib/frontend-taglib-clay/src/main/java/com/liferay/frontend/taglib/clay/servlet/taglib/ButtonTag.java+5 −2 modified@@ -9,6 +9,7 @@ import com.liferay.petra.string.StringPool; import com.liferay.portal.kernel.language.LanguageUtil; import com.liferay.portal.kernel.theme.ThemeDisplay; +import com.liferay.portal.kernel.util.HtmlUtil; import com.liferay.portal.kernel.util.Validator; import com.liferay.portal.kernel.util.WebKeys; import com.liferay.taglib.util.TagResourceBundleUtil; @@ -275,8 +276,10 @@ protected void writeIcon(JspWriter jspWriter) throws IOException { protected void writeLabel(JspWriter jspWriter) throws IOException { jspWriter.write( - LanguageUtil.get( - TagResourceBundleUtil.getResourceBundle(pageContext), _label)); + HtmlUtil.escape( + LanguageUtil.get( + TagResourceBundleUtil.getResourceBundle(pageContext), + _label))); } private static final String _ATTRIBUTE_NAMESPACE = "clay:button:";
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m5c7-5gv3-hcpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43734ghsaADVISORY
- github.com/liferay/liferay-portal/commit/b4ca1bb0961cc1f230508e072c30815eabce062fghsaWEB
- liferay.atlassian.net/browse/LPE-18234ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43734ghsaWEB
News mentions
0No linked articles in our index yet.