CVE-2025-43817
EPSS 0.03%Liferay Portal vulnerable to reflected cross-site scripting via the `redirect` parameter
Published: 9/30/2025Modified: 9/30/2025
Description
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1) Announcements, or (2) Alerts.
Affected packages (1)
- Maven/com.liferay.portal:release.portal.bom>= 7.4.3.74-ga74, < 7.4.3.112-ga112
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-43817
- PATCHhttps://github.com/liferay/liferay-portal
- WEBhttps://github.com/liferay/liferay-portal/commit/40b9dcafccff4b0ba2a20ef4c9723bea820f814b
- WEBhttps://liferay.atlassian.net/browse/LPE-17902
- WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43817