logo

Database

Reflected cross-site scripting (XSS) In com.liferay:com.liferay.frontend.taglib.clay

Description

Liferay Portal is vulnerable to XSS attack through its Style Book theme A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-437742. NVD-2025-437743. OSV-2025-437744. GCVE-2025-43774

References

1. https://github.com/liferay/liferay-portal/commit/e15df92e3faa3abbf38e3643b79ab8cf2983d6df2. https://github.com/liferay/liferay-portal3. https://liferay.atlassian.net/browse/LPE-182224. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43774

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.