CVE-2025-43775 — Liferay Portal is vulnerable to XSS attacks via its remote app title field

描述

A stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via remote app title field.

如何修補 CVE-2025-43775

要修補 CVE-2025-43775,請將受影響套件升級到下列已修補版本。

Maven/com.liferay:com.liferay.client.extension.web—升級至 2.0.27 或更新版本

CVE-2025-43775 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

>= 1.0.71, < 2.0.27

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43775
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/e54b2b41564df4f11cfa77b3e6c4353cf0a3b16d
WEBliferay.atlassian.net/browse/LPE-18123