Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via remote app title field.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "2024.Q1.1"
},
{
"fixed": "2024.Q1.13"
},
{
"introduced": "2024.q2.0"
},
{
"last_affected": "2024.q2.13"
},
{
"introduced": "2024.Q3.0"
},
{
"fixed": "2024.Q3.6"
}
],
"vendor_product": "liferay:digital_experience_platform",
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "7.4"
},
{
"last_affected": "7.4"
}
],
"vendor_product": "liferay:digital_experience_platform",
"source": "CPE_STRING"
}
]
}[
{
"source": "https://github.com/liferay/liferay-portal/commit/9bc3ecc0e54e74532403f3b281d3d542e95babd8",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "57115968376390560967885530032985434205",
"length": 304.0
},
"deprecated": false,
"id": "CVE-2025-43775-89cd59f6",
"target": {
"function": "testUpgradeProcess",
"file": "modules/apps/dynamic-data-mapping/dynamic-data-mapping-test/src/testIntegration/java/com/liferay/dynamic/data/mapping/internal/upgrade/v5_6_1/test/DDMFieldAttributeUpgradeProcessTest.java"
}
},
{
"source": "https://github.com/liferay/liferay-portal/commit/9bc3ecc0e54e74532403f3b281d3d542e95babd8",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"179772675958613422767713377468908871682",
"244399705317510526091317168555219523761",
"132569019723834552443776610039766080788",
"32054084799560152186930759783497281023",
"234529184054465291764936572438166749093",
"78377685304783572495740352849876029142",
"134663871138638082137858968838889813557",
"7936592204798143019898109296741974255"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2025-43775-ee25579f",
"target": {
"file": "modules/apps/dynamic-data-mapping/dynamic-data-mapping-test/src/testIntegration/java/com/liferay/dynamic/data/mapping/internal/upgrade/v5_6_1/test/DDMFieldAttributeUpgradeProcessTest.java"
}
}
]
"2026-07-12T13:00:57Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43775.json"