CVE-2025-43769 – com.liferay:com.liferay.plugins.admin.web

Package

Manager: maven
Name: com.liferay:com.liferay.plugins.admin.web
Vulnerable Version: >=0 <5.0.36

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00248 pctl0.47962

Details

Liferay Portal vulnerable to Stored XSS in Components portlet Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote attackers to execute arbitrary web script or HTML via components tab.

Metadata

Created: 2025-08-23T03:30:43Z
Modified: 2025-08-25T20:46:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-rvmf-jw8g-r35r/GHSA-rvmf-jw8g-r35r.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-rvmf-jw8g-r35r
Finding: F425
Auto approve: 1