CVE-2025-43794
Description
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote authenticated attackers with the instance administrator role to inject arbitrary web script or HTML into all pages via a crafted payload injected into the Instance Configurations (1) CDN Host HTTP text field or (2) CDN Host HTTPS text field.
Risk Information
Base Score
4.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.028
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2025-43794 are fixed in Liferay - com.liferay.portal.impl 99.0.0 | Windows |
| Vulnerabilities CVE-2025-43794,CVE-2025-62252 are fixed in Liferay - com.liferay.portal.impl 99.0.0 | Windows |
| Vulnerabilities CVE-2025-43794 are fixed in Liferay - com.liferay.portal.impl for Linux 99.0.0 | Linux |
| Vulnerabilities CVE-2025-43794,CVE-2025-62252 are fixed in Liferay - com.liferay.portal.impl for Linux 99.0.0 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234