CVE-2025-43807
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-12-15
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2023.Q3.1 (inc) to 2023.Q3.10 (inc) |
| liferay | digital_experience_platform | From 2023.Q4.0 (inc) to 2023.Q4.9 (exc) |
| liferay | digital_experience_platform | 7.4 |
| liferay | liferay_portal | From 7.4.0 (inc) to 7.4.3.113 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43807 is a stored cross-site scripting (XSS) vulnerability in the notifications widget of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML by submitting a specially crafted payload into the 'Name' text field of a publication. This means malicious code can be stored and later executed in the context of users viewing the affected notifications widget. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected notifications widget. This can lead to unauthorized actions such as stealing user session information, redirecting users to malicious sites, or performing actions on behalf of the user without their consent. However, the impact on confidentiality, integrity, and availability is considered low according to the CVSS score. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Liferay Portal or Liferay DXP installation is within the affected versions (Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q3.1 through 2023.Q3.10, 2023.Q4.0 through 2023.Q4.8, and 7.4). To detect exploitation attempts, monitor HTTP requests to the notifications widget for suspicious payloads injected into the 'Name' text field of publications, especially those containing script or HTML tags. There are no specific commands provided in the resources, but you can use web server logs analysis tools or intrusion detection systems to search for suspicious POST requests containing script tags or unusual HTML in the 'Name' parameter. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading your Liferay Portal or Liferay DXP to a fixed version: Liferay Portal 7.4.3.113 or later, Liferay DXP 2023.Q4.9, 2024.Q1.1, 2024.Q2.0 or later. Additionally, as a temporary measure, you can implement input validation and sanitization on the 'Name' text field in the notifications widget to prevent injection of arbitrary scripts or HTML. Monitoring and restricting user input to disallow script tags or suspicious payloads can also help reduce risk until the upgrade is applied. [1]