CVE-2025-43807: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability (CVE-2025-43807) was discovered in the notifications widget of Liferay Portal and Liferay DXP. The vulnerability was disclosed on September 22, 2025, affecting multiple versions including Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 (NVD, Liferay).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through a crafted payload injected into a publication's "Name" text field. The severity is rated as MEDIUM with a CVSS v4.0 score of 4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability enables attackers to execute arbitrary web scripts or HTML in the context of other users' browsers when they view notifications containing the malicious payload. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (Liferay).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.113, Liferay DXP 2024.Q2.0, Liferay DXP 2024.Q1.1, and Liferay DXP 2023.Q4.9. Users are advised to upgrade to these versions to mitigate the vulnerability (Liferay).

The vulnerability was responsibly disclosed by security researcher foobar7. The issue was acknowledged and addressed by Liferay through their security advisory program (Liferay).