GHSA-rcc7-jx7p-hrv4

Source

https://github.com/advisories/GHSA-rcc7-jx7p-hrv4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rcc7-jx7p-hrv4

Aliases

CVE-2025-43776

Published

2025-09-09T15:31:20Z

Modified

2025-12-20T03:40:01.438504Z

Severity

4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting

Details

A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2025-09-09T15:15:33Z",
    "cwe_ids": [
        "CWE-209",
        "CWE-79"
    ],
    "github_reviewed_at": "2025-09-10T20:15:02Z"
}

References

Affected packages

Maven

com.liferay.portal:release.portal.bom

Package

Name: com.liferay.portal:release.portal.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.portal.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Last affected

7.4.3.132

Affected versions

7.*

7.4.0

7.4.1

7.4.1-1

7.4.2

7.4.2-1

7.4.3.4

7.4.3.5

7.4.3.6

7.4.3.7

7.4.3.8

7.4.3.9

7.4.3.10

7.4.3.11

7.4.3.12

7.4.3.13

7.4.3.14

7.4.3.15

7.4.3.16

7.4.3.17

7.4.3.18

7.4.3.19

7.4.3.20

7.4.3.20-ga20

7.4.3.21

7.4.3.21-ga21

7.4.3.22

7.4.3.23

7.4.3.24

7.4.3.25

7.4.3.26

7.4.3.27

7.4.3.28

7.4.3.29

7.4.3.30

7.4.3.31

7.4.3.32

7.4.3.33

7.4.3.34

7.4.3.35

7.4.3.36

7.4.3.37

7.4.3.38

7.4.3.39

7.4.3.40

7.4.3.41

7.4.3.42

7.4.3.43

7.4.3.44

7.4.3.45

7.4.3.46

7.4.3.47

7.4.3.48

7.4.3.49

7.4.3.50

7.4.3.51

7.4.3.52

7.4.3.53

7.4.3.54

7.4.3.55

7.4.3.56

7.4.3.57

7.4.3.58

7.4.3.59

7.4.3.60

7.4.3.60-ga60

7.4.3.61

7.4.3.61-ga61

7.4.3.62

7.4.3.63

7.4.3.64

7.4.3.65

7.4.3.66

7.4.3.67

7.4.3.68

7.4.3.69

7.4.3.70

7.4.3.71

7.4.3.72

7.4.3.73

7.4.3.74

7.4.3.75

7.4.3.76

7.4.3.77

7.4.3.78

7.4.3.79

7.4.3.80

7.4.3.81

7.4.3.82

7.4.3.83

7.4.3.84

7.4.3.85

7.4.3.85-ga85

7.4.3.86

7.4.3.87

7.4.3.88

7.4.3.89

7.4.3.90

7.4.3.91

7.4.3.92

7.4.3.93

7.4.3.94

7.4.3.95

7.4.3.95-1

7.4.3.96

7.4.3.97

7.4.3.98

7.4.3.99

7.4.3.100

7.4.3.101

7.4.3.102

7.4.3.103

7.4.3.104

7.4.3.105

7.4.3.106

7.4.3.107

7.4.3.112

7.4.3.112-ga112

7.4.3.120

7.4.3.120-ga120

7.4.3.125

7.4.3.125-ga125

7.4.3.129

7.4.3.132

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4

Last affected

7.4.13.u92

Affected versions

7.*

7.4.10.ep1

7.4.11

7.4.12

7.4.13

7.4.13.u1

7.4.13.u2

7.4.13.u3

7.4.13.u4

7.4.13.u5

7.4.13.u6

7.4.13.u7

7.4.13.u8

7.4.13.u9

7.4.13.u10

7.4.13.u15

7.4.13.u16

7.4.13.u17

7.4.13.u18

7.4.13.u19

7.4.13.u20

7.4.13.u21

7.4.13.u22

7.4.13.u23

7.4.13.u24

7.4.13.u25

7.4.13.u26

7.4.13.u27

7.4.13.u28

7.4.13.u29

7.4.13.u30

7.4.13.u31

7.4.13.u32

7.4.13.u33

7.4.13.u34

7.4.13.u35

7.4.13.u36

7.4.13.u37

7.4.13.u38

7.4.13.u39

7.4.13.u40

7.4.13.u41

7.4.13.u42

7.4.13.u43

7.4.13.u44

7.4.13.u45

7.4.13.u46

7.4.13.u47

7.4.13.u48

7.4.13.u49

7.4.13.u50

7.4.13.u51

7.4.13.u52

7.4.13.u53

7.4.13.u54

7.4.13.u55

7.4.13.u56

7.4.13.u57

7.4.13.u58

7.4.13.u59

7.4.13.u60

7.4.13.u61

7.4.13.u62

7.4.13.u63

7.4.13.u64

7.4.13.u65

7.4.13.u66

7.4.13.u67

7.4.13.u68

7.4.13.u69

7.4.13.u70

7.4.13.u71

7.4.13.u72

7.4.13.u73

7.4.13.u74

7.4.13.u75

7.4.13.u76

7.4.13.u77

7.4.13.u78

7.4.13.u79

7.4.13.u80

7.4.13.u81

7.4.13.u82

7.4.13.u83

7.4.13.u84

7.4.13.u85

7.4.13.u86

7.4.13.u87

7.4.13.u88

7.4.13.u89

7.4.13.u90

7.4.13.u91

7.4.13.u92

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2024.Q1.1

Fixed

2024.Q1.20

Affected versions

2024.*

2024.q1.1

2024.q1.2

2024.q1.3

2024.q1.4

2024.q1.5

2024.q1.6

2024.q1.7

2024.q1.8

2024.q1.9

2024.q1.10

2024.q1.11

2024.q1.12

2024.q1.13

2024.q1.14

2024.q1.15

2024.q1.16

2024.q1.17

2024.q1.18

Database specific

last_known_affected_version_range

"<= 2024.Q1.19"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2024.Q2.0

Last affected

2024.Q2.13

Affected versions

2024.*

2024.q2.0

2024.q2.1

2024.q2.2

2024.q2.3

2024.q2.4

2024.q2.5

2024.q2.6

2024.q2.7

2024.q2.8

2024.q2.9

2024.q2.10

2024.q2.11

2024.q2.12

2024.q2.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2024.Q3.0

Last affected

2024.Q3.13

Affected versions

2024.*

2024.q3.0

2024.q3.1

2024.q3.2

2024.q3.3

2024.q3.4

2024.q3.5

2024.q3.6

2024.q3.7

2024.q3.8

2024.q3.9

2024.q3.10

2024.q3.11

2024.q3.12

2024.q3.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2024.Q4.0

Last affected

2024.Q4.7

Affected versions

2024.*

2024.q4.0

2024.q4.1

2024.q4.2

2024.q4.3

2024.q4.4

2024.q4.5

2024.q4.6

2024.q4.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2025.Q1.0

Fixed

2025.Q1.17

Affected versions

2025.*

2025.q1.0

2025.q1.1

2025.q1.2

2025.q1.3

2025.q1.4

2025.q1.5

2025.q1.6

2025.q1.7

2025.q1.8

2025.q1.9

2025.q1.10

2025.q1.11

2025.q1.12

2025.q1.13

2025.q1.14

2025.q1.15

Database specific

last_known_affected_version_range

"<= 2025.Q1.16"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"

com.liferay.portal:release.dxp.bom

Package

Name: com.liferay.portal:release.dxp.bom; View open source insights on deps.dev
Purl: pkg:maven/com.liferay.portal/release.dxp.bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2025.Q2.0

Fixed

2025.Q2.10

Affected versions

2025.*

2025.q2.0

2025.q2.1

2025.q2.2

2025.q2.3

2025.q2.4

2025.q2.5

2025.q2.6

Database specific

last_known_affected_version_range

"<= 2025.Q2.9"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"

com.liferay:com.liferay.portal.workflow.web

Package

Name: com.liferay:com.liferay.portal.workflow.web; View open source insights on deps.dev
Purl: pkg:maven/com.liferay/com.liferay.portal.workflow.web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.94

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

1.0.23

1.0.24

1.0.25

1.0.26

1.0.27

1.0.28

1.0.29

1.0.30

1.0.31

1.0.32

1.0.33

1.0.34

1.0.35

1.0.36

1.0.37

1.0.38

1.0.39

1.0.40

1.0.41

1.0.42

1.0.43

1.0.44

1.0.45

1.0.46

1.0.47

1.0.48

1.0.49

1.0.50

1.0.51

1.0.52

1.0.53

1.0.54

1.0.55

1.0.56

1.0.57

1.0.58

1.0.59

1.0.60

1.0.61

1.0.62

1.0.63

1.0.64

1.0.65

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.40

2.0.41

2.0.42

2.0.43

2.0.44

2.0.45

2.0.46

2.0.47

2.0.48

2.0.49

2.0.50

2.0.51

2.0.52

2.0.53

2.0.54

2.0.55

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

3.0.20

3.0.21

3.0.22

3.0.23

3.0.24

3.0.25

3.0.26

3.0.27

3.0.28

3.0.29

3.0.30

3.0.31

3.0.32

3.0.33

3.0.34

3.0.35

3.0.36

3.0.37

3.0.38

3.0.39

3.0.40

3.0.41

3.0.42

3.0.43

3.0.44

3.0.45

3.0.46

3.0.47

3.0.48

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.17

4.0.18

4.0.19

4.0.20

4.0.21

4.0.22

4.0.23

4.0.24

4.0.25

4.0.26

4.0.27

4.0.28

4.0.29

4.0.30

4.0.31

4.0.32

4.0.33

4.0.34

4.0.35

4.0.36

4.0.37

4.0.38

4.0.39

4.0.40

4.0.41

4.0.42

4.0.43

4.0.44

4.0.45

4.0.46

4.0.47

4.0.48

4.0.49

4.0.50

4.0.51

4.0.52

4.0.53

4.0.54

4.0.55

4.0.56

4.0.57

4.0.58

4.0.59

4.0.60

4.0.61

4.0.62

4.0.63

4.0.64

4.0.65

4.0.66

4.0.67

4.0.68

4.0.69

4.0.70

4.0.71

4.0.72

4.0.73

4.0.74

4.0.75

4.0.76

4.0.77

4.0.78

4.0.79

4.0.80

4.0.81

4.0.82

4.0.83

4.0.84

4.0.85

4.0.86

4.0.87

4.0.88

4.0.89

4.0.90

4.0.91

4.0.92

4.0.93

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rcc7-jx7p-hrv4/GHSA-rcc7-jx7p-hrv4.json"