CVE-2025-43774: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability exists in Liferay Portal 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.17. The vulnerability was discovered and disclosed on September 8, 2025. This security flaw allows remote authenticated users to inject JavaScript code through the Style Book theme name functionality (Liferay Security).

The vulnerability has been assigned a CVSS v4.0 score of 2.1 with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The attack requires network access and high privileges, but no user interaction is needed for exploitation. The vulnerability specifically affects the Style Book theme name functionality where malicious JavaScript code can be injected and subsequently executed within the user's browser (Liferay Security).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the affected Style Book theme. This can lead to session hijacking, defacement, or theft of sensitive browser-based data (AttackerKB).

The vulnerability has been fixed in Liferay Portal's master branch and Liferay DXP version 2025.Q2.0. Organizations using affected versions should upgrade to the fixed versions as soon as possible. Until the upgrade can be completed, organizations should restrict access to Style Book theme functionality to trusted administrators only (Liferay Security).