GHSA-gj92-p9mh-83j8

Source

https://github.com/advisories/GHSA-gj92-p9mh-83j8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-gj92-p9mh-83j8/GHSA-gj92-p9mh-83j8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gj92-p9mh-83j8

Aliases

CVE-2025-43818

Published

2025-09-30T00:30:28Z

Modified

2025-09-30T20:57:32.167506Z

Severity

4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Liferay Portal vulnerable to cross-site scripting in the Calendar widget

Details

Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Calendar's “Name” text field

Database specific

{
    "github_reviewed_at": "2025-09-30T20:26:01Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2025-09-29T22:15:35Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / com.liferay:com.liferay.calendar.web

Package

Name: com.liferay:com.liferay.calendar.web; View open source insights on deps.dev
Purl: pkg:maven/com.liferay/com.liferay.calendar.web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.45

Fixed

5.0.87

Affected versions

5.*

5.0.45

5.0.46

5.0.47

5.0.48

5.0.49

5.0.50

5.0.51

5.0.52

5.0.53

5.0.54

5.0.55

5.0.56

5.0.57

5.0.58

5.0.59

5.0.60

5.0.61

5.0.62

5.0.63

5.0.64

5.0.65

5.0.66

5.0.67

5.0.68

5.0.69

5.0.70

5.0.71

5.0.72

5.0.73

5.0.74

5.0.75

5.0.76

5.0.77

5.0.78

5.0.79

5.0.80

5.0.81

5.0.82

5.0.83

5.0.84

5.0.85

5.0.86