CVE-2025-43783: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and Liferay DXP, identified as CVE-2025-43783. The vulnerability was disclosed on September 10, 2025, affecting multiple versions including Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP versions spanning 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 (Liferay Security).

The vulnerability exists in the '/c/portal/comment/discussion/geteditor' path, allowing remote attackers to inject arbitrary web script or HTML. The severity of this vulnerability has been rated with a CVSS v4.0 score of 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N), indicating a moderate risk level ([Liferay Security](https://liferay.dev/portal/security/known-vulnerabilities/-/assetpublisher/jekt/content/CVE-2025-43783)).

The vulnerability allows attackers to execute arbitrary web scripts or inject HTML content through the affected path, potentially leading to client-side attacks against users of the affected Liferay installations (AttackerKB).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal 7.4.3.129, Liferay DXP 2024.Q1.13, Liferay DXP 2024.Q3.2, or Liferay DXP 2024.Q4.0 (Liferay Security).