CVE-2025-43823: 
Java vulnerability analysis and mitigation

Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field. The vulnerability was discovered and reported by foobar7, with initial disclosure on September 13, 2024 (Liferay Advisory).

The vulnerability has been assigned CVE-2025-43823 and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v4.0 Base Score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, indicating network accessibility, low attack complexity, required privileges, and active user interaction (NVD).

The vulnerability allows attackers to inject malicious web scripts or HTML through the Commerce Product's Name text field, potentially affecting the confidentiality and integrity of the application with low severity. The attack requires user interaction and authenticated access to execute (AttackerKB).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.6, and Liferay DXP 2023.Q3.9. Users are advised to upgrade to these patched versions (Liferay Advisory).