Moderate severityNVD Advisory· Published Aug 19, 2025· Updated Aug 19, 2025
CVE-2025-43740
CVE-2025-43740
Description
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.3.120-ga120, <= 7.4.3.132-ga23 | — |
Affected products
3- ghsa-coordsRange: >= 7.4.3.120-ga120, <= 7.4.3.132-ga23
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-22jp-w3cg-gvmmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43740ghsaADVISORY
- github.com/liferay/liferay-portal/commit/32821b41f7f62271d1fb9d56c82297cd087780a4ghsaWEB
- github.com/liferay/liferay-portal/commit/51e21fa8b3e8b49ed455caeab192c5bba7e15b6dghsaWEB
- github.com/liferay/liferay-portal/commit/c1b7c6b58f5042072c381fc2664e808ebb745826ghsaWEB
- liferay.atlassian.net/browse/LPE-18276ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43740ghsaWEB
News mentions
0No linked articles in our index yet.