N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43829

GHSA ID

GHSA-893r-jr58-3hxr

EPSS Score

0.36234%

CWE

CWE-79

Published

10/8/2025

Updated

10/9/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43829

CVE-2025-43829: Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file

Stored Cross-Site Scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43829

GHSA ID

GHSA-893r-jr58-3hxr

EPSS Score

0.36234%

CWE

CWE-79

Published

10/8/2025

Updated

10/9/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.commerce:com.liferay.commerce.shop.by.diagram.web	maven	>= 1.0.41, < 1.0.83	1.0.83

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided commit 288ba1f41f8c3374c80d7af27346eeebb8c780d0 clearly points to the vulnerable function. The commit message, 'LPD-15105 clean svg from malicious code', and the changes made in the D3Handler.js file confirm that the vulnerability lies in the handling of SVG files. The _printSVGImage function was identified as the vulnerable function because it was responsible for fetching and rendering the SVG content without proper sanitization. The patch adds the necessary sanitization steps to prevent the execution of malicious scripts embedded in the SVG file. Therefore, any runtime profile during the exploitation of this vulnerability would show the D3Handler._printSVGImage function in the stack trace as it processes the malicious SVG file.

Vulnerable functions

D3Handler._printSVGImage

modules/dxp/apps/commerce/commerce-shop-by-diagram-web/src/main/resources/META-INF/resources/js/DiagramWithAutomapping/D3Handler.js

The `_printSVGImage` function in the `D3Handler` class is responsible for fetching and rendering an SVG image. Before the patch, the function would fetch the SVG content and directly render it into the HTML of the page. This allowed for stored XSS if a malicious SVG file containing scripts was uploaded. The patch mitigates this by sanitizing the SVG content to remove scripts and event handlers before rendering.

WAF Protection Rules

WAF Rule

Stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility in *i**r*m typ* pro*u*ts in *omm*r** in Li**r*y Port*l *.*.*.** t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.*, *n* *.* up**t* ** t*rou** up**t* **. T*is vul

Reasoning

T** *n*lysis o* t** provi*** *ommit `****************************************` *l**rly points to t** vuln*r**l* *un*tion. T** *ommit m*ss***, 'LP*-***** *l**n sv* *rom m*li*ious *o**', *n* t** ***n**s m*** in t** `****n*l*r.js` *il* *on*irm t**t t**

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-43829: Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI