Stored Cross-Site Scripting Issues in Liferay Portal and DXP Products
CVE-2025-43822

4.8MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 7 October 2025

What is CVE-2025-43822?

Multiple stored cross-site scripting vulnerabilities exist in Liferay Portal and DXP products, allowing remote attackers to inject arbitrary web scripts or HTML. This can occur through crafted inputs in fields such as the Terms and Conditions' Name, impacting Payment Terms and the Delivery Term sections. Attackers exploiting these vulnerabilities can compromise sensitive data and alter web page content, posing significant risks to users and the integrity of the affected systems.

Affected Version(s)

DXP 7.4.13 <= 7.4.13-u92

DXP 2023.Q3.1 <= 2023.Q3.8

DXP 2023.Q4.0 <= 2023.Q4.5

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 7, 2025
Vulnerability Reserved
Apr 17, 2025

Credit

foobar7

JSON