CVE-2025-43776: 
Java vulnerability analysis and mitigation

A Stored cross-site scripting (XSS) vulnerability identified as CVE-2025-43776 was discovered in Liferay Portal and Liferay DXP. The vulnerability was disclosed on September 9, 2025, affecting multiple versions of Liferay Portal (7.4.0 through 7.4.3.132) and Liferay DXP versions ranging from 7.4 GA through various quarterly releases up to 2025.Q2.9. The vulnerability was reported by NDIx (Liferay Advisory).

The vulnerability allows a remote authenticated attacker to inject JavaScript through Custom Object field label, with the malicious payload being stored and executed through the Process Builder's Configuration tab due to improper escaping. The vulnerability has been assigned a CVSS v4.0 score of 4.6 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, indicating network accessibility with low attack complexity but requiring high privileges and user interaction (Liferay Advisory).

The vulnerability can lead to stored cross-site scripting attacks, potentially allowing attackers to execute malicious JavaScript code in the context of other users' sessions when they access the Process Builder's Configuration tab. The CVSS scoring indicates low impact on confidentiality, integrity, and availability, with some potential for social engineering attacks (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal fixed on master branch, Liferay DXP 2024.Q1.20, Liferay DXP 2025.Q1.17, or Liferay DXP 2025.Q2.10 as appropriate for their deployment (Liferay Advisory).