Fluid Attacks Database

Description

Liferay Portal Reflected XSS in CKeditor 4.21.0 endpoint A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the frontend-editor-ckeditor-web/ckeditor/samples/old/ajax.html path

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	liferay-ckeditor	>=0 <4.21.0-liferay.10	4.21.0-liferay.10
maven	com.liferay:com.liferay.frontend.editor.ckeditor.web	>=0 <5.0.107	5.0.107
maven	com.liferay:com.liferay.frontend.js.dependencies.web	>=0 <1.0.25	1.0.25

Aliases

1. CVE-2025-437612. NVD-2025-437613. OSV-2025-437614. GCVE-2025-43761

References

1. https://github.com/liferay/liferay-portal/commit/4b638ee704340426d806da8ab3d0f92b4be7a0da2. https://liferay.atlassian.net/browse/LPE-181633. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43761

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.