Moderate severityNVD Advisory· Published Sep 9, 2025· Updated Sep 9, 2025

CVE-2025-43776

Description

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.4.0, <= 7.4.3.132	—
com.liferay.portal:release.dxp.bomMaven	>= 7.4, <= 7.4.13.u92	—
com.liferay.portal:release.dxp.bomMaven	>= 2024.Q1.1, < 2024.Q1.20	2024.Q1.20
com.liferay.portal:release.dxp.bomMaven	>= 2024.Q2.0, <= 2024.Q2.13	—
com.liferay.portal:release.dxp.bomMaven	>= 2024.Q3.0, <= 2024.Q3.13	—
com.liferay.portal:release.dxp.bomMaven	>= 2024.Q4.0, <= 2024.Q4.7	—
com.liferay.portal:release.dxp.bomMaven	>= 2025.Q1.0, < 2025.Q1.17	2025.Q1.17
com.liferay.portal:release.dxp.bomMaven	>= 2025.Q2.0, < 2025.Q2.10	2025.Q2.10
com.liferay:com.liferay.portal.workflow.webMaven	< 4.0.94	4.0.94

Affected products

Liferay/Portalv5
Range: 7.4.0
Liferay/DXPv5
Range: 7.4.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rcc7-jx7p-hrv4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-43776ghsaADVISORY
liferay.atlassian.net/browse/LPE-18277ghsaWEB
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43776ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000