CVE-2025-43817: Liferay Portal vulnerable to reflected cross-site scripting via the `redirect` parameter
(updated )
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the redirect parameter to (1) Announcements, or (2) Alerts.
References
- github.com/advisories/GHSA-m4hg-46pw-6mmv
- github.com/liferay/liferay-portal
- github.com/liferay/liferay-portal/commit/40b9dcafccff4b0ba2a20ef4c9723bea820f814b
- liferay.atlassian.net/browse/LPE-17902
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43817
- nvd.nist.gov/vuln/detail/CVE-2025-43817
Code Behaviors & Features
Detect and mitigate CVE-2025-43817 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →