CVE-2025-43738: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability identified as CVE-2025-43738 was discovered in Liferay Portal and Liferay DXP. The vulnerability was reported by NDIx and published on August 14, 2025. It affects multiple versions of Liferay Portal (7.4.0 through 7.4.3.132) and Liferay DXP across various releases from 2024.Q1 through 2025.Q2 (Liferay Vulnerability).

The vulnerability allows a remote authenticated user to inject JavaScript code via the comliferayexpandowebportletExpandoPortlet_displayType parameter. The severity has been assessed with a CVSS 4.0 score of 5.1 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database).

The exploitation of this vulnerability can lead to cross-site scripting attacks, potentially resulting in unauthorized access to user data and compromise of web application security. The vulnerability has been rated with low impact on confidentiality, integrity, and availability, but could allow attackers to execute malicious JavaScript code in users' browsers (CERT-FR).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal master branch, Liferay DXP 2025.Q2.9, or Liferay DXP 2025.Q1.16 depending on their current version. These updates contain the necessary security patches to prevent XSS attacks through the vulnerable parameter (Liferay Vulnerability).