CVE-2025-43737

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-43737

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43737.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-43737

Aliases

GHSA-vjwr-cqwf-6q96

Published

2025-08-19T19:15:35.313Z

Modified

2026-04-10T05:26:45.339517Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via comliferayjournalwebportletJournalPortlet_backURL parameter.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43737

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type

GIT

Repo

https://github.com/liferay/liferay-portal

Events

Introduced

ec84d86679146b84af526f96471a730c340dda78

Last affected

a9017d1f654503189fcd6eecd59bd501a7015b8c

Database specific

{
    "versions": [
        {
            "introduced": "7.4.0"
        },
        {
            "last_affected": "7.4.3.132"
        }
    ]
}

Affected versions

7.*

7.4.0-ga1

7.4.1-ga2

7.4.2-ga3

7.4.3.132-ga132

7.4.3.4-ga4

7.4.3.41-ga41

7.4.3.5-ga5

7.4.3.6-ga6

7.4.3.7-ga7

7.4.3.88-ga88

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43737.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "2025.Q1.0"
            },
            {
                "fixed": "2025.Q1.16"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "2025.Q2.0"
            },
            {
                "fixed": "2025.Q2.9"
            }
        ]
    }
]