CVE-2025-43787: 
Liferay Portal 脆弱性の分析と軽減

A Stored cross-site scripting (XSS) vulnerability has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and multiple versions of Liferay DXP including 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20. The vulnerability was discovered by Lauritz Holme and was disclosed on September 12, 2025. This security issue is tracked as CVE-2025-43787 (NVD, Liferay).

The vulnerability allows remote authenticated attackers to inject JavaScript through organization site names, where the malicious payload is stored and executed without proper sanitization or escaping. The vulnerability has been assigned a CVSS v4.0 score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability can lead to stored cross-site scripting attacks, potentially allowing attackers to execute malicious JavaScript code in users' browsers. This could result in theft of sensitive information, session hijacking, or other client-side attacks when users access the affected organization site names (Liferay).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal fixed on master branch or Liferay DXP 2025.Q3.1. These versions include proper input sanitization and escaping mechanisms to prevent XSS attacks (Liferay).