CVE-2025-43757: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP versions ranging from 2024.Q1.1 through 2025.Q2.2. The vulnerability was disclosed on August 20, 2025, and allows remote authenticated attackers to inject JavaScript code via the comliferaydynamicdatamappingwebportletDDMPortletdefinition parameter ([Liferay Advisory](https://liferay.dev/portal/security/known-vulnerabilities/-/assetpublisher/jekt/content/CVE-2025-43757)).

The vulnerability has been assigned a CVSS v4.0 base score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. This indicates that the vulnerability requires high privileges and user interaction to exploit, with the potential to impact confidentiality at a low level. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The successful exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers, potentially leading to theft of sensitive information or session hijacking. The impact is somewhat limited by the requirement for authentication and user interaction (AttackerKB).

The vulnerability has been fixed in Liferay Portal master branch and the following DXP versions: 2025.Q2.3, 2025.Q1.15, and 2024.Q1.19. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).