CVE-2025-43742 – com.liferay:com.liferay.layout.type.controller.display.page

Package

Manager: maven
Name: com.liferay:com.liferay.layout.type.controller.display.page
Vulnerable Version: >=0 <3.0.59

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00047 pctl0.13806

Details

Liferay Portal Vulnerable to Cross-Site Scripting through URLs A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript in web content for friendly urls.

Metadata

Created: 2025-08-20T12:31:15Z
Modified: 2025-08-20T20:44:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-3fp2-6mwq-4q3j/GHSA-3fp2-6mwq-4q3j.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-3fp2-6mwq-4q3j
Finding: F008
Auto approve: 1