关键漏洞信息 漏洞编号 CVE-2025-43776 漏洞描述 The Process Builder's Configuration tab fails to properly escape stored JavaScript code. 影响范围 A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping. 严重程度 4.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) 受影响版本 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 7.4 GA through U92 Liferay DXP 2024.Q1.1 through DXP 2024.Q1.19 Liferay DXP 2024.Q2.0 through DXP 2024.Q2.13 Liferay DXP 2024.Q3.0 through DXP 2024.Q3.13 Liferay DXP 2024.Q4.0 through DXP 2024.Q4.7 Liferay DXP 2025.Q1.0 through DXP 2025.Q1.16 Liferay DXP 2025.Q2.0 through DXP 2025.Q2.9 修复版本 Liferay Portal fixed on master branch Liferay DXP 2024.Q1.20 Liferay DXP 2025.Q1.17 Liferay DXP 2025.Q2.10 致谢 This issue was reported by NDix 发布日期 Tue, 09 Sep 2025 14:18:00 +0000