Home

CVE-2025-43734

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the first display label field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page.

Risk Information

Base Score
5.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.032

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2025-43736,CVE-2025-43734 are fixed in Liferay - release.dxp.bom 1.17Windows
Vulnerabilities CVE-2025-43734 are fixed in Liferay - release.dxp.bom 1.11Windows
Vulnerabilities CVE-2025-4655,CVE-2025-43736,CVE-2025-43735,CVE-2025-43734,CVE-2025-4581 are affected in Liferay - release.dxp.bom 4.7Windows
Vulnerabilities CVE-2025-4655,CVE-2025-43734,CVE-2025-4581,CVE-2025-43776 are affected in Liferay - release.portal.bom 7.4.3.132Windows
Vulnerabilities CVE-2025-43734 are fixed in Liferay - com.liferay.frontend.taglib.clay 15.2.2Windows
Vulnerabilities CVE-2025-43736,CVE-2025-43734 are fixed in Liferay - release.dxp.bom for Linux 1.17Linux
Vulnerabilities CVE-2025-43734 are fixed in Liferay - release.dxp.bom for Linux 1.11Linux
Vulnerabilities CVE-2025-4655,CVE-2025-43736,CVE-2025-43735,CVE-2025-43734,CVE-2025-4581 are affected in Liferay - release.dxp.bom for Linux 4.7Linux
Vulnerabilities CVE-2025-4655,CVE-2025-43734,CVE-2025-4581,CVE-2025-43776 are affected in Liferay - release.portal.bom for Linux 7.4.3.132Linux
Vulnerabilities CVE-2025-43734 are fixed in Liferay - com.liferay.frontend.taglib.clay for Linux 15.2.2Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234