关键漏洞信息 漏洞概述 CVE编号: CVE-2025-43778 类型: Stored XSS on the name of a fieldset 描述 A stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript through the name of a fieldset in Kaleo Forms Admin. The malicious payload is stored and executed without proper sanitization or escaping. 严重性 CVSS评分: 4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) 影响版本 Liferay Portal: - 7.4.0 through 7.4.3.132 Liferay DXP 2024: - Q4.0 through Q4.7 - Q3.0 through Q3.13 - Q2.0 through Q2.13 - Q1.1 through Q1.20 修复版本 Liferay Portal: fixed on master branch Liferay DXP 2025: - Q1.17 - Q2.12 致谢 This issue was reported by Lauritz Holme. 发布日期 Mon, 08 Sep 2025 13:17:00 +0000