CVE-2025-43779: 
Liferay Portal vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and DXP systems, identified as CVE-2025-43779. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.112, and Liferay DXP versions 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92. The issue was reported by NDIx and publicly disclosed on July 31, 2025 (Liferay Advisory).

The vulnerability allows a remote authenticated attacker to inject JavaScript code via the comliferaycommerceproductdefinitionswebinternalportletCPDefinitionsPortletproductTypeName parameter. When exploited, the malicious payload is reflected and executed within the user's browser. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability can lead to the execution of arbitrary JavaScript code in users' browsers, potentially allowing attackers to steal session tokens, manipulate web content, or perform actions on behalf of the victim. The impact is considered moderate as it requires authentication and can only achieve limited confidentiality and integrity breaches (AttackerKB).

Liferay has released patches to address this vulnerability. Users should upgrade to Liferay Portal version 7.4.3.113 or Liferay DXP version 2024.Q1.19, which contain the necessary security fixes (Liferay Advisory).