CVE-2025-43812: 
Java vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and Liferay DXP's web content template functionality. The vulnerability was assigned CVE-2025-43812 and was disclosed on November 5, 2024. The vulnerability affects multiple versions including Liferay Portal 7.4.3.4 through 7.4.3.111, Liferay DXP 2023.Q4.0 through 2023.Q4.4, Liferay DXP 2023.Q3.1 through 2023.Q3.8, and Liferay DXP 7.4 GA through Update 92 (Liferay Advisory).

The vulnerability is classified as a cross-site scripting (XSS) issue that allows remote authenticated users to inject arbitrary web script or HTML through a crafted payload in a web content structure's Name text field. The vulnerability has been assigned a CVSS v4.0 base score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers to inject malicious web scripts or HTML content into the application through the web content structure's Name field. This could potentially lead to the execution of unauthorized scripts in users' browsers, potentially compromising user sessions or leading to other client-side attacks (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.5, or Liferay DXP 2023.Q3.9 depending on their current version (Liferay Advisory).

The vulnerability was reported by security researcher argon21, as acknowledged in the official advisory (Liferay Advisory).