Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2025-43802)

Description

Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/<object-name> API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web script or HTML via the externalReferenceCode parameter.

Remediation

References

Related Vulnerabilities

Dotclear Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2008-3232)

WordPress Plugin Gift Certificate Creator Cross-Site Scripting (1.0.0)

WordPress Plugin PWA for WP & AMP Unspecified Vulnerability (1.0.8)

Oracle Database Server CVE-2008-2611 Vulnerability (CVE-2008-2611)

WordPress Plugin Custom Content Type Manager Backdoor (0.9.8.8)

Severity

Medium

Classification

CVE-2025-43802 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities