CNNVD-202508-2197 Information

CNNVD ID

CNNVD-202508-2197

Related CVE

CVE-2025-43737

• CNNVD Published: 2025-08-19

Description (Chinese)

Liferay Portal和Liferay DXP都是美国Liferay公司的产品。Liferay Portal是一套基于J2EE的门户解决方案。该方案使用了EJB以及JMS等技术，并可作为Web发布和共享工作区、企业协作平台、社交网络等。Liferay DXP是一套数字化体验协作平台。 Liferay Portal和Liferay DXP存在跨站脚本漏洞，该漏洞源于参数注入，可能导致反射型跨站脚本攻击。以下产品及版本受到影响：Liferay Portal 7.4.3.132版本和Liferay DXP 2025.Q2.0至2025.Q2.8版本和2025.Q1.0至2025.Q1.15版本。

Description (English)

Liferay Portal and Liferay DXP are products of the United States company Liferay. Liferay Portal is a portal solution based on J2EE. The programme uses technologies such as EJB and JMS, and can be used as a Web-based workspace, corporate collaboration platform, social networking etc. Liferay DXP is a collaborative platform for digital experience. Liferay Portal and Liferay DXP had a cross-site script loophole, which stemmed from the injection of parameters and could lead to a reflective cross-site script attack. The following products and versions were affected: Liveray Portal 7.4.3.132 and Liveray DXP 2025.Q2.0 to 2025.Q2.8 and 2025.Q1.0 to 2025.Q1.15.

Hazard Level

High

Vulnerability Type

跨站脚本

Affected Vendor

Liferay

Published

2025-08-19

Last Modified

2026-02-24

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43737 https://nvd.nist.gov/vuln/detail/CVE-2025-43737 https://access.redhat.com/security/cve/cve-2025-43737

Patch

https://www.liferay.com/downloads-community