Cross-site Scripting Flaw in Liferay Portal and DXP Products
CVE-2025-43804

5.1MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 16 September 2025

What is CVE-2025-43804?

A Cross-site scripting (XSS) vulnerability exists in the Search widget of Liferay Portal versions 7.4.3.93 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4. This vulnerability enables remote attackers to exploit the _com_liferay_portal_search_web_portlet_SearchPortlet_userId parameter, allowing the injection of arbitrary web scripts or HTML. Successful exploitation could lead to unauthorized actions being performed on behalf of a user, compromising the security of the affected application.

Affected Version(s)

DXP 2023.Q3.1 <= 2023.Q3.4

DXP 2023.Q4.0 <= 2023.Q4.1

Portal 7.4.3.93 <= 7.4.3.111

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Apr 17, 2025