CVE-2025-43812: 
Java vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and Liferay DXP's web content template functionality. The vulnerability, identified as CVE-2025-43812, was disclosed on November 5, 2024. The vulnerability affects multiple versions including Liferay Portal 7.4.3.4 through 7.4.3.111, Liferay DXP 2023.Q4.0 through 2023.Q4.4, Liferay DXP 2023.Q3.1 through 2023.Q3.8, and Liferay DXP 7.4 GA through Update 92 (Liferay Advisory).

The vulnerability allows remote authenticated users to inject arbitrary web script or HTML through a crafted payload injected into a web content structure's Name text field. The severity of this vulnerability has been assessed with a CVSS v4.0 base score of 4.8 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. This indicates that the vulnerability requires network access and low attack complexity, but also requires user interaction and authenticated access (Liferay Advisory).

The vulnerability could allow authenticated attackers to execute arbitrary web scripts or inject HTML code through the web content structure's Name field, potentially leading to cross-site scripting attacks against other users of the system (Liferay Advisory).

The vulnerability has been fixed in the following versions: Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.5, and Liferay DXP 2023.Q3.9. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).

The vulnerability was responsibly reported by security researcher 'argon21' and was handled through Liferay's security advisory process (Liferay Advisory).