{"id":"CVE-2025-43820","details":"Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle text, or (3) Last Name text fields.","aliases":["GHSA-pf86-4w35-cj89"],"modified":"2026-07-08T06:56:31.510345907Z","published":"2025-09-29T22:15:36Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"2023.Q3.1"},{"fixed":"2023.Q3.7"},{"introduced":"2023.Q4.0"},{"fixed":"2023.Q4.5"}],"vendor_product":"liferay:digital_experience_platform","cpes":["cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*"],"source":"CPE_RANGE"},{"extracted_events":[{"introduced":"7.3-update25"},{"last_affected":"7.3-update25"},{"introduced":"7.3-update26"},{"last_affected":"7.3-update26"},{"introduced":"7.3-update27"},{"last_affected":"7.3-update27"},{"introduced":"7.3-update28"},{"last_affected":"7.3-update28"},{"introduced":"7.3-update29"},{"last_affected":"7.3-update29"},{"introduced":"7.3-update30"},{"last_affected":"7.3-update30"},{"introduced":"7.3-update31"},{"last_affected":"7.3-update31"},{"introduced":"7.3-update32"},{"last_affected":"7.3-update32"},{"introduced":"7.3-update33"},{"last_affected":"7.3-update33"},{"introduced":"7.3-update34"},{"last_affected":"7.3-update34"},{"introduced":"7.3-update35"},{"last_affected":"7.3-update35"},{"introduced":"7.3-update36"},{"last_affected":"7.3-update36"},{"introduced":"7.4-update35"},{"last_affected":"7.4-update35"},{"introduced":"7.4-update36"},{"last_affected":"7.4-update36"},{"introduced":"7.4-update37"},{"last_affected":"7.4-update37"},{"introduced":"7.4-update38"},{"last_affected":"7.4-update38"},{"introduced":"7.4-update39"},{"last_affected":"7.4-update39"},{"introduced":"7.4-update40"},{"last_affected":"7.4-update40"},{"introduced":"7.4-update41"},{"last_affected":"7.4-update41"},{"introduced":"7.4-update42"},{"last_affected":"7.4-update42"},{"introduced":"7.4-update43"},{"last_affected":"7.4-update43"},{"introduced":"7.4-update44"},{"last_affected":"7.4-update44"},{"introduced":"7.4-update45"},{"last_affected":"7.4-update45"},{"introduced":"7.4-update46"},{"last_affected":"7.4-update46"},{"introduced":"7.4-update47"},{"last_affected":"7.4-update47"},{"introduced":"7.4-update48"},{"last_affected":"7.4-update48"},{"introduced":"7.4-update49"},{"last_affected":"7.4-update49"},{"introduced":"7.4-update50"},{"last_affected":"7.4-update50"},{"introduced":"7.4-update51"},{"last_affected":"7.4-update51"},{"introduced":"7.4-update52"},{"last_affected":"7.4-update52"},{"introduced":"7.4-update53"},{"last_affected":"7.4-update53"},{"introduced":"7.4-update54"},{"last_affected":"7.4-update54"},{"introduced":"7.4-update55"},{"last_affected":"7.4-update55"},{"introduced":"7.4-update56"},{"last_affected":"7.4-update56"},{"introduced":"7.4-update57"},{"last_affected":"7.4-update57"},{"introduced":"7.4-update58"},{"last_affected":"7.4-update58"},{"introduced":"7.4-update59"},{"last_affected":"7.4-update59"},{"introduced":"7.4-update60"},{"last_affected":"7.4-update60"},{"introduced":"7.4-update61"},{"last_affected":"7.4-update61"},{"introduced":"7.4-update62"},{"last_affected":"7.4-update62"},{"introduced":"7.4-update63"},{"last_affected":"7.4-update63"},{"introduced":"7.4-update64"},{"last_affected":"7.4-update64"},{"introduced":"7.4-update65"},{"last_affected":"7.4-update65"},{"introduced":"7.4-update66"},{"last_affected":"7.4-update66"},{"introduced":"7.4-update67"},{"last_affected":"7.4-update67"},{"introduced":"7.4-update68"},{"last_affected":"7.4-update68"},{"introduced":"7.4-update69"},{"last_affected":"7.4-update69"},{"introduced":"7.4-update70"},{"last_affected":"7.4-update70"},{"introduced":"7.4-update71"},{"last_affected":"7.4-update71"},{"introduced":"7.4-update72"},{"last_affected":"7.4-update72"},{"introduced":"7.4-update73"},{"last_affected":"7.4-update73"},{"introduced":"7.4-update74"},{"last_affected":"7.4-update74"},{"introduced":"7.4-update75"},{"last_affected":"7.4-update75"},{"introduced":"7.4-update76"},{"last_affected":"7.4-update76"},{"introduced":"7.4-update77"},{"last_affected":"7.4-update77"},{"introduced":"7.4-update78"},{"last_affected":"7.4-update78"},{"introduced":"7.4-update79"},{"last_affected":"7.4-update79"},{"introduced":"7.4-update80"},{"last_affected":"7.4-update80"},{"introduced":"7.4-update81"},{"last_affected":"7.4-update81"},{"introduced":"7.4-update82"},{"last_affected":"7.4-update82"},{"introduced":"7.4-update83"},{"last_affected":"7.4-update83"},{"introduced":"7.4-update84"},{"last_affected":"7.4-update84"},{"introduced":"7.4-update85"},{"last_affected":"7.4-update85"},{"introduced":"7.4-update86"},{"last_affected":"7.4-update86"},{"introduced":"7.4-update87"},{"last_affected":"7.4-update87"},{"introduced":"7.4-update88"},{"last_affected":"7.4-update88"},{"introduced":"7.4-update89"},{"last_affected":"7.4-update89"},{"introduced":"7.4-update90"},{"last_affected":"7.4-update90"},{"introduced":"7.4-update91"},{"last_affected":"7.4-update91"},{"introduced":"7.4-update92"},{"last_affected":"7.4-update92"}],"vendor_product":"liferay:digital_experience_platform","cpes":["cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.3:update36:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*","cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*"],"source":"CPE_STRING"}]},"references":[{"type":"ADVISORY","url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43820"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"e0d71ab52dfa2c3fc906a1014d305aa547826383"},{"fixed":"f018f8e5c94f9fe264531e7180739d82a7b47224"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"7.4.3.35"},{"fixed":"7.4.3.111"}],"cpe":"cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43820.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}