CVE-2025-43811: 
Java vulnerability analysis and mitigation

Multiple stored cross-site scripting (XSS) vulnerability was discovered in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.7, and 7.4 update 50 through update 92. The vulnerability was reported on September 13, 2024, by security researcher foobar7 and was assigned CVE-2025-43811 (Liferay Security).

The vulnerability allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into an asset author's First Name, Middle Name, or Last Name text fields. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database).

The vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions when users interact with the compromised asset selector functionality (Liferay Security).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.5, and Liferay DXP 2023.Q3.8. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Liferay Security).