Moderate severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025
CVE-2025-43817
CVE-2025-43817
Description
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the redirect parameter to (1) Announcements, or (2) Alerts.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.3.74-ga74, < 7.4.3.112-ga112 | 7.4.3.112-ga112 |
Affected products
2- Liferay/DXPv5Range: 7.4.13-u74
Patches
140b9dcafccffLPS-205549 Ensure escapedHREF is not evaluated in a JS context
1 file changed · +2 −1
portal-web/docroot/html/taglib/aui/button/end.jsp+2 −1 modified@@ -47,7 +47,8 @@ onClick="<%= onClick %>" </c:when> <c:when test="<%= Validator.isNotNull(escapedHREF) %>"> - onClick="Liferay.Util.navigate('<%= escapedHREF %>')" + data-href="<%= escapedHREF %>" + onClick="Liferay.Util.navigate(this.dataset.href)" </c:when> </c:choose>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m4hg-46pw-6mmvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43817ghsaADVISORY
- github.com/liferay/liferay-portal/commit/40b9dcafccff4b0ba2a20ef4c9723bea820f814bghsaWEB
- liferay.atlassian.net/browse/LPE-17902ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43817ghsaWEB
News mentions
0No linked articles in our index yet.