CVE-2025-43744: Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels
(updated )
A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publisher configuration UI within the Source.js module. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels which are then inserted into the DOM using innerHTML without proper encoding.
References
- github.com/advisories/GHSA-m49p-6cjp-x2h3
- github.com/liferay/liferay-portal
- github.com/liferay/liferay-portal/commit/3b36fadfe92437deab4a55029a1a369e046f3829
- github.com/liferay/liferay-portal/commit/c07a490b3d3759f38c5473cda74e99540bd0235e
- liferay.atlassian.net/browse/LPE-18271
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43744
- nvd.nist.gov/vuln/detail/CVE-2025-43744
Code Behaviors & Features
Detect and mitigate CVE-2025-43744 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →