Fluid Attacks Database

Description

Liferay Portal is vulnerable to XSS attack through its search bar portlet A reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 allows remote attackers to inject arbitrary web script or HTML via the URL in search bar portlet

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay:com.liferay.portal.search.web	>=6.0.125 <6.0.143	6.0.143

Aliases

1. CVE-2025-437812. NVD-2025-437813. OSV-2025-437814. GCVE-2025-43781

References

1. https://github.com/liferay/liferay-portal/commit/f6483b5cff5c07b562c52f9eec336b2ebc9eeacd2. https://liferay.atlassian.net/browse/LPE-181243. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43781

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.