CVE-2025-43820: 
Java vulnerability analysis and mitigation

Multiple cross-site scripting (XSS) vulnerabilities were discovered in the Calendar widget of Liferay Portal and DXP products, specifically when inviting users to an event. The vulnerability (CVE-2025-43820) was disclosed on September 13, 2024, affecting multiple versions including Liferay Portal 7.4.3.35 through 7.4.3.110, and various Liferay DXP versions. The issue received a CVSS v4.0 score of 4.8 (Medium) (Liferay Security).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through three different user input fields: First Name, Middle text, and Last Name text fields in the Calendar widget's user invitation feature. The attack requires low attack complexity (AC:L) and low privileges (PR:L), but does need user interaction (UI:A). The CVSS v4.0 vector string is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, indicating network accessibility with low impact on confidentiality and integrity (NVD Database).

The vulnerability can lead to stored XSS attacks, allowing malicious actors to execute arbitrary web scripts in the context of other users' browsers when they view calendar invitations. This could potentially lead to session hijacking, defacement of the calendar interface, or theft of sensitive information displayed in the calendar context (Liferay Security).

The vulnerability has been patched in Liferay Portal 7.4.3.111, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.5, and Liferay DXP 2023.Q3.7. Organizations running affected versions should upgrade to these fixed versions to mitigate the vulnerability (Liferay Security).

The vulnerability was responsibly disclosed by security researcher 'foobar7'. Liferay has acknowledged the finding and addressed it in their security advisory (Liferay Security).