CVE-2025-43802_CVE-2025-43802

4.8 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/<object-name> API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web script or HTML via the externalReferenceCode parameter.

Basic Information

ID CVE-2025-43802

Source Liferay

Published Sep 15, 2025 at 21:58

Affected Product

Vendor Liferay

Product Portal

Version 7.4.3.51

Affected Versions Liferay Portal 7.4.3.51
Liferay DXP 7.3.10-u33
Liferay DXP 7.4.13-u51
Liferay DXP 2023.Q3.1
Liferay DXP 2023.Q4.0

CWE Classification

CWE-79

References

liferay.dev /portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43802

{
    "lastseen": "",
    "description": "Stored cross-site scripting (XSS) vulnerability in a custom object\u2019s /o/c/<object-name> API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web script or HTML via the externalReferenceCode parameter.",
    "published": "2025-09-15T21:58:18.738Z",
    "modified": "2025-09-15T21:58:18.738Z",
    "type": "cve",
    "title": "CVE-2025-43802",
    "source": "Liferay",
    "references": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43802",
    "id": "CVE-2025-43802",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Liferay Portal 7.4.3.51\nLiferay DXP 7.3.10-u33\nLiferay DXP 7.4.13-u51\nLiferay DXP 2023.Q3.1\nLiferay DXP 2023.Q4.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Portal",
    "version": "7.4.3.51",
    "vendor": "Liferay",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}