CVE-2025-43807
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-12-15

Assigner: Liferay Inc.

Description
Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a publication’s β€œName” text field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-12-15
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-43807
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2023.Q3.1 (inc) to 2023.Q3.10 (inc)
liferay digital_experience_platform From 2023.Q4.0 (inc) to 2023.Q4.9 (exc)
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.113 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43807 is a stored cross-site scripting (XSS) vulnerability in the notifications widget of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML by submitting a specially crafted payload into the 'Name' text field of a publication. This means malicious code can be stored and later executed in the context of users viewing the affected notifications widget. [1]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected notifications widget. This can lead to unauthorized actions such as stealing user session information, redirecting users to malicious sites, or performing actions on behalf of the user without their consent. However, the impact on confidentiality, integrity, and availability is considered low according to the CVSS score. [1]

Detection Guidance

This vulnerability can be detected by checking if your Liferay Portal or Liferay DXP installation is within the affected versions (Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q3.1 through 2023.Q3.10, 2023.Q4.0 through 2023.Q4.8, and 7.4). To detect exploitation attempts, monitor HTTP requests to the notifications widget for suspicious payloads injected into the 'Name' text field of publications, especially those containing script or HTML tags. There are no specific commands provided in the resources, but you can use web server logs analysis tools or intrusion detection systems to search for suspicious POST requests containing script tags or unusual HTML in the 'Name' parameter. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading your Liferay Portal or Liferay DXP to a fixed version: Liferay Portal 7.4.3.113 or later, Liferay DXP 2023.Q4.9, 2024.Q1.1, 2024.Q2.0 or later. Additionally, as a temporary measure, you can implement input validation and sanitization on the 'Name' text field in the notifications widget to prevent injection of arbitrary scripts or HTML. Monitoring and restricting user input to disallow script tags or suspicious payloads can also help reduce risk until the upgrade is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43807. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart