← back
CVE-2025-43735

CVE-2025-43735

CVSS 6.9 MEDIUMEPSS 0.2%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
12 Aug 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Affected products
Liferay · DXPLiferay · Portal

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43735