N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43734

GHSA ID

GHSA-m5c7-5gv3-hcpf

EPSS Score

0.38094%

CWE

CWE-79

Published

8/12/2025

Updated

8/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43734

CVE-2025-43734: Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the “first display label” field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43734

GHSA ID

GHSA-m5c7-5gv3-hcpf

EPSS Score

0.38094%

CWE

CWE-79

Published

8/12/2025

Updated

8/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.4.0, <= 7.4.3.132
com.liferay.portal:release.dxp.bom	maven	>= 2024.q4.0, <= 2024.q4.7
com.liferay.portal:release.dxp.bom	maven	>= 2024.q3.0, <= 2024.q3.13
com.liferay.portal:release.dxp.bom	maven	>= 2024.q2.0, <= 2024.q2.13
com.liferay.portal:release.dxp.bom	maven	>= 2024.q1.0, <= 2024.q1.16	2024.q1.17
com.liferay.portal:release.dxp.bom	maven	>= 2025.q1.0, <= 2025.q1.10	2025.q1.11
com.liferay.portal:release.dxp.bom	maven	<= 7.4.13.u92

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the ButtonTag.java file, specifically within the writeLabel method. The vulnerability description highlights that a malicious payload injected into the 'first display label' field of a custom sort widget is executed by the clay button taglib. The provided commit patch confirms this. The patch modifies the writeLabel method to include HTML escaping using HtmlUtil.escape() on the _label variable before it is written to the page. This prevents the browser from interpreting any injected script as executable code. The vulnerable function, com.liferay.frontend.taglib.clay.servlet.taglib.ButtonTag.writeLabel, is therefore the key indicator of this vulnerability in a runtime profile, as it's the exact location where the unsanitized user input is rendered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r**l**t** *ross-sit* s*riptin* (XSS) vuln*r**ility in t** Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou

Reasoning

T** vuln*r**ility *xists in t** `*uttonT**.j*v*` *il*, sp**i*i**lly wit*in t** `writ*L***l` m*t*o*. T** vuln*r**ility **s*ription *i**li**ts t**t * m*li*ious p*ylo** inj**t** into t** '*irst *ispl*y l***l' *i*l* o* * *ustom sort wi***t is *x**ut** *y

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-43734: Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI