Moderate severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025
CVE-2025-43812
CVE-2025-43812
Description
Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a web content structure's Name text field
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.3.4-ga4, < 7.4.3.112-ga112 | 7.4.3.112-ga112 |
com.liferay:com.liferay.journal.webMaven | >= 5.0.34, < 5.0.161 | 5.0.161 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
17466c9ba0126LPD-16333 Escape Structure name
1 file changed · +1 −1
modules/apps/journal/journal-web/src/main/resources/META-INF/resources/ddm_template/edit_basic_info.jsp+1 −1 modified@@ -30,7 +30,7 @@ DDMStructure ddmStructure = journalEditDDMTemplateDisplayContext.getDDMStructure <div class="input-group"> <div class="input-group-item"> - <input placeholder="<%= LanguageUtil.format(locale, "no-x-selected", "structure") %>" id="<%= liferayPortletResponse.getNamespace() %>ddmStructure" name="structure" readonly value="<%= (ddmStructure != null) ? ddmStructure.getName(locale) : StringPool.BLANK %>" class="form-control lfr-input-resource" /> + <input placeholder="<%= LanguageUtil.format(locale, "no-x-selected", "structure") %>" id="<%= liferayPortletResponse.getNamespace() %>ddmStructure" name="structure" readonly value="<%= (ddmStructure != null) ? HtmlUtil.escape(ddmStructure.getName(locale)) : StringPool.BLANK %>" class="form-control lfr-input-resource" /> </div> <c:if test="<%= (ddmTemplate == null) || (ddmTemplate.getClassPK() == 0) %>">
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jv8x-mm3v-75r7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43812ghsaADVISORY
- github.com/liferay/liferay-portal/commit/7466c9ba0126a4a93c85913cbec9b11c687deb36ghsaWEB
- liferay.atlassian.net/browse/LPE-17942ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43812ghsaWEB
News mentions
0No linked articles in our index yet.