CVE-2025-43755: 
Java vulnerability analysis and mitigation

A Stored cross-site scripting (XSS) vulnerability has been identified in Liferay Portal 7.4.0 through 7.4.3.132 and multiple versions of Liferay DXP, including 2025.Q2.0, 2025.Q1.0-13, 2024.Q4.0-7, 2024.Q3.0-13, 2024.Q2.0-13, 2024.Q1.1-17, and DXP 7.4 GA through update 92. The vulnerability was discovered by NDIx and publicly disclosed on June 11, 2025. This security flaw allows remote authenticated attackers to inject JavaScript code via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter (Liferay Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue. It has been assigned a CVSS v4.0 Base Score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The scoring indicates that the vulnerability requires high privileges (PR:H) but no user interaction (UI:N), can be exploited over the network (AV:N), and has low complexity (AC:L). The impact affects both confidentiality and integrity at a low level (VC:L, VI:L) with no impact on availability (NVD).

The vulnerability allows authenticated attackers to inject malicious JavaScript code that gets stored on the server and potentially executed in other users' browsers. This can lead to various security implications including data theft, session hijacking, or manipulation of the web interface for other users (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal fixed on branch master, Liferay DXP 2025.Q2.1, Liferay DXP 2025.Q1.14, or Liferay DXP 2024.Q1.18 as appropriate for their deployment (Liferay Advisory).