CVE-2025-43822: Liferay Portal has multiple Stored XSS vulnerabilities on its View Order page

October 8, 2025 (updated November 10, 2025)

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition’s Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page.

References

github.com/advisories/GHSA-4mqx-4p8g-995w
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43822
nvd.nist.gov/vuln/detail/CVE-2025-43822

Code Behaviors & Features

Detect and mitigate CVE-2025-43822 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →