Moderate severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025
CVE-2025-43818
CVE-2025-43818
Description
Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Calendar's “Name” text field
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.calendar.webMaven | >= 5.0.45, < 5.0.87 | 5.0.87 |
Affected products
2- Liferay/DXPv5Range: 7.3.10-u25
Patches
2ff1d01a6bd28LPS-206603 Ensure calendar name is escaped before being displayed
1 file changed · +41 −0
modules/apps/calendar/calendar-test/src/testIntegration/java/com/liferay/calendar/util/test/CalendarUtilTest.java+41 −0 modified@@ -8,12 +8,16 @@ import com.liferay.arquillian.extension.junit.bridge.junit.Arquillian; import com.liferay.calendar.model.Calendar; import com.liferay.calendar.model.CalendarBooking; +import com.liferay.calendar.model.CalendarResource; import com.liferay.calendar.recurrence.Recurrence; import com.liferay.calendar.recurrence.RecurrenceSerializer; import com.liferay.calendar.service.CalendarBookingLocalService; +import com.liferay.calendar.service.CalendarLocalService; import com.liferay.calendar.test.util.CalendarBookingTestUtil; +import com.liferay.calendar.test.util.CalendarResourceTestUtil; import com.liferay.calendar.test.util.CalendarTestUtil; import com.liferay.calendar.test.util.RecurrenceTestUtil; +import com.liferay.petra.string.StringPool; import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.json.JSONArray; import com.liferay.portal.kernel.json.JSONObject; @@ -24,13 +28,16 @@ import com.liferay.portal.kernel.security.permission.PermissionCheckerFactoryUtil; import com.liferay.portal.kernel.security.permission.PermissionThreadLocal; import com.liferay.portal.kernel.service.CompanyLocalService; +import com.liferay.portal.kernel.service.GroupLocalService; import com.liferay.portal.kernel.service.ServiceContext; import com.liferay.portal.kernel.test.rule.AggregateTestRule; import com.liferay.portal.kernel.test.rule.DataGuard; import com.liferay.portal.kernel.test.util.GroupTestUtil; import com.liferay.portal.kernel.test.util.RandomTestUtil; +import com.liferay.portal.kernel.test.util.TestPropsValues; import com.liferay.portal.kernel.test.util.UserTestUtil; import com.liferay.portal.kernel.theme.ThemeDisplay; +import com.liferay.portal.kernel.util.HashMapBuilder; import com.liferay.portal.kernel.util.ListUtil; import com.liferay.portal.kernel.util.LocaleUtil; import com.liferay.portal.kernel.util.TimeZoneUtil; @@ -259,6 +266,33 @@ null, createThemeDisplay(), calendarBookings, excpectedCalendarBookingIds, actualCalendarBookingIds); } + @Test + public void testToCalendarJSONObject() throws Exception { + CalendarResource calendarResource = + CalendarResourceTestUtil.addCalendarResource( + _groupLocalService.getGroup(TestPropsValues.getGroupId())); + + Calendar calendar = _calendarLocalService.addCalendar( + TestPropsValues.getUserId(), TestPropsValues.getGroupId(), + calendarResource.getCalendarResourceId(), + HashMapBuilder.put( + LocaleUtil.getDefault(), + "'\"></option><img onerror=alert(123) src=x>" + ).build(), + RandomTestUtil.randomLocaleStringMap(), StringPool.UTC, 0, false, + false, false, new ServiceContext()); + + Method method = _calendarUtilClass.getMethod( + "toCalendarJSONObject", ThemeDisplay.class, Calendar.class); + + JSONObject jsonObject = (JSONObject)method.invoke( + null, createThemeDisplay(), calendar); + + Assert.assertEquals( + "'"></option><img onerror=alert(123) src=x>", + jsonObject.get("name")); + } + protected void assertRepeatsForever(Recurrence recurrence) { Assert.assertNotNull(recurrence); @@ -355,10 +389,17 @@ protected List<CalendarBooking> getCalendarBookings( @Inject private CalendarBookingLocalService _calendarBookingLocalService; + @Inject + private CalendarLocalService _calendarLocalService; + @Inject private CompanyLocalService _companyLocalService; private Group _group; + + @Inject + private GroupLocalService _groupLocalService; + private PermissionChecker _permissionChecker; private User _privateUser; private User _user;
ed066f19934aLPS-206603 Apply escape html on calendar name
1 file changed · +2 −1
modules/apps/calendar/calendar-web/src/main/java/com/liferay/calendar/web/internal/util/CalendarUtil.java+2 −1 modified@@ -30,6 +30,7 @@ import com.liferay.portal.kernel.service.WorkflowDefinitionLinkLocalService; import com.liferay.portal.kernel.service.WorkflowInstanceLinkLocalService; import com.liferay.portal.kernel.theme.ThemeDisplay; +import com.liferay.portal.kernel.util.HtmlUtil; import com.liferay.portal.kernel.util.StringUtil; import com.liferay.portal.kernel.util.TimeZoneUtil; import com.liferay.portal.kernel.util.Validator; @@ -352,7 +353,7 @@ public static JSONObject toCalendarJSONObject( calendar.getCalendarId(), themeDisplay.getScopeGroupId()); } ).put( - "name", calendar.getName(themeDisplay.getLocale()) + "name", HtmlUtil.escape(calendar.getName(themeDisplay.getLocale())) ).put( "permissions", _getPermissionsJSONObject(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gj92-p9mh-83j8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43818ghsaADVISORY
- github.com/liferay/liferay-portal/commit/ed066f19934a721a7f9b567db097e04cf4adbdaeghsaWEB
- github.com/liferay/liferay-portal/commit/ff1d01a6bd2898e827b1efdf723ef24f7f2bb1bfghsaWEB
- liferay.atlassian.net/browse/LPE-17911ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43818ghsaWEB
News mentions
0No linked articles in our index yet.