CVE-2025-43771

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-43771
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43771.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43771
Aliases
Published
2025-10-08T15:16:23.853Z
Modified
2026-04-10T05:26:42.068798Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content.

References

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type
GIT
Repo
https://github.com/liferay/liferay-portal
Events
Introduced
075b1fec5e8ec7b940ea2780fe3c5c7a9d51ca74
Fixed
b8c35409971bf2f43bb7e28bd1638daab05ce6fa
Database specific 
{
    "versions": [
        {
            "introduced": "7.4.3.102"
        },
        {
            "fixed": "7.4.3.112"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43771.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "2023.Q3.1"
            },
            {
                "fixed": "2023.Q3.4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "2023.q4.0"
            },
            {
                "fixed": "2023.q4.6"
            }
        ]
    }
]