Description

Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a publication’s “Name” text field.

Remediation

References

CVE-2025-43807

Related Vulnerabilities

WordPress Plugin Cherry Multiple Vulnerabilities (1.2.6)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-5610)

MySQL CVE-2017-3650 Vulnerability (CVE-2017-3650)

WordPress Plugin WordPress Landing Pages Unspecified Vulnerability (2.0.2)

Apache HTTP Server Uncontrolled Resource Consumption Vulnerability (CVE-2014-0118)

Severity

Medium

Classification

CVE-2025-43807 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities