CVE-2025-43800: 
Java vulnerability analysis and mitigation

A Cross-site scripting (XSS) vulnerability was discovered in Objects functionality within Liferay Portal and Liferay DXP. The vulnerability affects Liferay Portal versions 7.4.3.20 through 7.4.3.111, Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, and Liferay DXP 7.4 GA through update 92. The issue was disclosed on September 15, 2025 (Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through a crafted payload injected into an object with a rich text type field. The vulnerability has been assigned a CVSS 4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability can lead to the execution of unauthorized web scripts or HTML in the context of other users' browsers, potentially leading to session hijacking, defacement, or theft of sensitive information. The CVSS scoring indicates low impacts on confidentiality and integrity, with no impact on availability (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.1, and Liferay DXP 2023.Q3.5. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).