Description

Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1) Announcements, or (2) Alerts.

Remediation

References

CVE-2025-43817

Related Vulnerabilities

phpMyAdmin Other Vulnerability (CVE-2006-2418)

WordPress Plugin Button Widget Smartsoft Cross-Site Request Forgery (1.0.1)

Apache HTTP Server Insufficient Verification of Data Authenticity Vulnerability (CVE-2020-11985)

WordPress Plugin WPS Hide Login Multiple Security Bypass Vulnerabilities (1.5.2.2)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2025-43826)

Severity

Medium

Classification

CVE-2025-43817 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities