CVE-2025-43829 — Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file

Description

There is a Stored Cross-Site Scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file.

How to fix CVE-2025-43829

To remediate CVE-2025-43829, upgrade the affected package to a fixed version below.

—upgrade to 1.0.83 or later

Is CVE-2025-43829 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.0.41, < 1.0.83

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43829
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/288ba1f41f8c3374c80d7af27346eeebb8c780d0
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43829