Auth XSS via JournalPortlet_backURL in Liferay Portal 7.4.3.132
CVE-2025-43737 Published on August 19, 2025

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter.

NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2025-43737 has been classified to as a XSS vulnerability or weakness.

Affected Versions

Liferay Portal:

Version 7.4.3.132 is affected.

Liferay DXP:

Version 2025.Q1.0, <= 2025.Q1.15 is affected.
Version 2025.Q2.0, <= 2025.Q2.8 is affected.

Exploit Probability

EPSS

0.04%

Percentile

13.81%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Auth XSS via JournalPortlet_backURL in Liferay Portal 7.4.3.132CVE-2025-43737 Published on August 19, 2025

Weakness Type

What is a XSS Vulnerability?

Affected Versions

Exploit Probability

Auth XSS via JournalPortlet_backURL in Liferay Portal 7.4.3.132
CVE-2025-43737 Published on August 19, 2025