CVE-2025-43775: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability has been identified in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP versions including 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92. The vulnerability was discovered by milCERT AT and publicly disclosed on November 29, 2024 (Liferay Security).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through the remote app title field. The severity has been assessed with a CVSS v4.0 score of 4.6 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD Database).

The vulnerability allows attackers to inject malicious web scripts or HTML content that can be stored on the server and executed when other users access the affected pages. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions.

Liferay has released fixed versions to address this vulnerability: Liferay Portal 7.4.3.129, Liferay DXP 2024.Q1.13, Liferay DXP 2024.Q3.6, and Liferay DXP 2024.Q4.0. Users are advised to upgrade to these patched versions to mitigate the risk (Liferay Security).