CVE-2025-43802: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and DXP's custom object's /o/c/ API endpoint. The vulnerability affects Liferay Portal versions 7.4.3.51 through 7.4.3.109, and Liferay DXP versions 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. The vulnerability was reported by Amin ACHOUR and published on September 17, 2024 (Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through the externalReferenceCode parameter in the /o/c/ API endpoint. The severity of this vulnerability has been rated with a CVSS v4.0 Base Score of 4.8 (Medium) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability allows attackers to inject malicious web scripts or HTML content that could potentially be executed in users' browsers when they access the affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (AttackerKB).

The vulnerability has been fixed in Liferay Portal version 7.4.3.110, Liferay DXP 2024.Q1.1, DXP 2023.Q4.1, DXP 2023.Q3.5, and DXP 7.3 Update 36. Users are advised to upgrade to these fixed versions (Liferay Advisory).