CVE-2025-43731: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability has been identified in Liferay Portal and Liferay DXP, tracked as CVE-2025-43731. The vulnerability affects multiple versions including Liferay Portal 7.4.0 through 7.4.3.132, and various Liferay DXP versions from 2024.Q1.1 through 2025.Q1.8. This security issue was disclosed on April 23, 2025 (Liferay Advisory).

The vulnerability allows remote authenticated users to inject JavaScript code in message board threads and categories. The severity of this vulnerability has been assessed with a CVSS v4.0 score of 6.9 (Medium), with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability could allow attackers to execute malicious JavaScript code in the context of other users' browsers when they view affected message board threads and categories. This could potentially lead to theft of session tokens, cookie theft, and other client-side attacks (NVD).

The vulnerability has been fixed in multiple versions including Liferay Portal master branch, Liferay DXP 2025.Q2.0, Liferay DXP 2025.Q1.9, and Liferay DXP 2024.Q1.17. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).