{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "2024.q1.1" }, { "fixed": "2024.q1.20" } ] }, { "events": [ { "introduced": "2025.Q1.0" }, { "fixed": "2025.Q1.16" } ] }, { "events": [ { "introduced": "2025.Q2.0" }, { "fixed": "2025.Q2.3" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "7.4.3.132" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "a9017d1f654503189fcd6eecd59bd501a7015b8c" } ], "repo": "https://github.com/liferay/liferay-portal", "type": "GIT" } ] } ], "details": "\u003c!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}--\u003eA reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.", "id": "CVE-2025-43756", "modified": "2026-03-10T21:47:20.829172704Z", "published": "2025-08-21T17:15:30.933Z", "references": [ { "type": "ADVISORY", "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43756" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }