CVE-2025-43821

描述

Cross-site Scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

如何修補 CVE-2025-43821

要修補 CVE-2025-43821,請將受影響套件升級到下列已修補版本。

• Maven/com.liferay.commerce:com.liferay.commerce.product.service—升級至 6.0.134 或更新版本

CVE-2025-43821 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 6.0.5, < 6.0.134

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43821
• PATCHgithub.com/liferay/com-liferay-commerce
• WEBgithub.com/liferay/liferay-portal/commit/433f82c03fac10167f1f811efb482d6010bac6db
• WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43821