CVE-2025-43820

29.09.2025, 22:15

Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a users (1) First Name, (2) Middle text, or (3) Last Name text fields.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Liferay	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Vendor	Product	Version
liferay	digital_experience_platform	2023.Q3.1 ≤ 𝑥 < 2023.Q3.7
liferay	digital_experience_platform	2023.Q4.0 ≤ 𝑥 < 2023.Q4.5
liferay	digital_experience_platform	7.3:update25
liferay	digital_experience_platform	7.3:update26
liferay	digital_experience_platform	7.3:update27
liferay	digital_experience_platform	7.3:update28
liferay	digital_experience_platform	7.3:update29
liferay	digital_experience_platform	7.3:update30
liferay	digital_experience_platform	7.3:update31
liferay	digital_experience_platform	7.3:update32
liferay	digital_experience_platform	7.3:update33
liferay	digital_experience_platform	7.3:update34
liferay	digital_experience_platform	7.3:update35
liferay	digital_experience_platform	7.3:update36
liferay	digital_experience_platform	7.4:update35
liferay	digital_experience_platform	7.4:update36
liferay	digital_experience_platform	7.4:update37
liferay	digital_experience_platform	7.4:update38
liferay	digital_experience_platform	7.4:update39
liferay	digital_experience_platform	7.4:update40
liferay	digital_experience_platform	7.4:update41
liferay	digital_experience_platform	7.4:update42
liferay	digital_experience_platform	7.4:update43
liferay	digital_experience_platform	7.4:update44
liferay	digital_experience_platform	7.4:update45
liferay	digital_experience_platform	7.4:update46
liferay	digital_experience_platform	7.4:update47
liferay	digital_experience_platform	7.4:update48
liferay	digital_experience_platform	7.4:update49
liferay	digital_experience_platform	7.4:update50
liferay	digital_experience_platform	7.4:update51
liferay	digital_experience_platform	7.4:update52
liferay	digital_experience_platform	7.4:update53
liferay	digital_experience_platform	7.4:update54
liferay	digital_experience_platform	7.4:update55
liferay	digital_experience_platform	7.4:update56
liferay	digital_experience_platform	7.4:update57
liferay	digital_experience_platform	7.4:update58
liferay	digital_experience_platform	7.4:update59
liferay	digital_experience_platform	7.4:update60
liferay	digital_experience_platform	7.4:update61
liferay	digital_experience_platform	7.4:update62
liferay	digital_experience_platform	7.4:update63
liferay	digital_experience_platform	7.4:update64
liferay	digital_experience_platform	7.4:update65
liferay	digital_experience_platform	7.4:update66
liferay	digital_experience_platform	7.4:update67
liferay	digital_experience_platform	7.4:update68
liferay	digital_experience_platform	7.4:update69
liferay	digital_experience_platform	7.4:update70
liferay	digital_experience_platform	7.4:update71
liferay	digital_experience_platform	7.4:update72
liferay	digital_experience_platform	7.4:update73
liferay	digital_experience_platform	7.4:update74
liferay	digital_experience_platform	7.4:update75
liferay	digital_experience_platform	7.4:update76
liferay	digital_experience_platform	7.4:update77
liferay	digital_experience_platform	7.4:update78
liferay	digital_experience_platform	7.4:update79
liferay	digital_experience_platform	7.4:update80
liferay	digital_experience_platform	7.4:update81
liferay	digital_experience_platform	7.4:update82
liferay	digital_experience_platform	7.4:update83
liferay	digital_experience_platform	7.4:update84
liferay	digital_experience_platform	7.4:update85
liferay	digital_experience_platform	7.4:update86
liferay	digital_experience_platform	7.4:update87
liferay	digital_experience_platform	7.4:update88
liferay	digital_experience_platform	7.4:update89
liferay	digital_experience_platform	7.4:update90
liferay	digital_experience_platform	7.4:update91
liferay	digital_experience_platform	7.4:update92
liferay	liferay_portal	7.4.3.35 ≤ 𝑥 < 7.4.3.111

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43820