Liferay DXP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-43794 - Vulnerability Database

Liferay DXP

Liferay DXP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-43794

Medium

Reference: CVE-2025-43794

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-43794

Title: Liferay DXP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111 and older unsupported versions and Liferay DXP 2023.Q4.0 2023.Q3.1 through 2023.Q3.4 7.4 GA through update 92 7.3 GA through update 35 and older unsupported versions allows remote authenticated attackers with the instance administrator role to inject arbitrary web script or HTML into all pages via a crafted payload injected into the Instance Configuration39s (1) CDN Host HTTP text field or (2) CDN Host HTTPS text field.