CVE-2025-43744 in Liferayinfo

Summary

by MITRE • 08/19/2025

A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publisher configuration UI within the Source.js module. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels which are then inserted into the DOM using innerHTML without proper encoding.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/15/2025

This stored DOM-based cross-site scripting vulnerability exists within the Asset Publisher configuration interface of Liferay Portal and DXP products across multiple versions. The flaw resides in the Source.js module where user-provided input from DDM structure field labels is processed and subsequently inserted into the DOM using innerHTML operations without adequate sanitization or encoding mechanisms. The vulnerability represents a classic DOM-based XSS attack vector where malicious scripts can be persisted and executed in the context of authenticated users' browsers. This affects both community and enterprise editions of Liferay, spanning from version 7.4.0 through 7.4.3.132 and various DXP release cycles including 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19, and 7.4 GA through update 92.

The technical implementation of this vulnerability stems from improper handling of user input within the Asset Publisher's configuration UI. When administrators or users configure DDM structures, the field labels they provide are directly incorporated into the DOM through innerHTML operations rather than being properly escaped or encoded. This creates a persistent XSS condition where malicious JavaScript code injected into field labels becomes executable when the page renders, particularly when the Asset Publisher displays content that includes these labels. The vulnerability is classified as stored XSS because the malicious payload persists in the system and affects multiple users who view the affected content. According to CWE standards, this maps to CWE-79 which describes improper neutralization of input during web page generation, specifically in the context of DOM-based XSS attacks. The attack pattern aligns with ATT&CK technique T1566.001 which involves the use of malicious content in web applications to execute code in user browsers.

The operational impact of this vulnerability is significant as it allows attackers to execute arbitrary JavaScript code in the context of authenticated users' browsers, potentially leading to session hijacking, data theft, privilege escalation, or redirection to malicious sites. An attacker could craft malicious field labels containing JavaScript payloads that would execute whenever the Asset Publisher displays content using those labels. This creates a persistent threat that affects all users who view the affected pages, making it particularly dangerous in enterprise environments where administrators frequently configure DDM structures. The vulnerability affects the core functionality of Liferay's content management system and could be exploited to gain unauthorized access to sensitive data or system resources, especially in scenarios where administrators have elevated privileges. The impact is amplified by the fact that the vulnerability affects multiple versions across different release cycles, indicating a widespread exposure across the Liferay ecosystem.

Organizations should immediately apply available patches or updates from Liferay to address this vulnerability. Until patches are applied, administrators should implement strict input validation and sanitization measures for DDM structure field labels, particularly in environments where untrusted users can configure content. The implementation of Content Security Policy (CSP) headers can provide additional defense-in-depth protection against XSS attacks by restricting the sources from which scripts can be loaded and executed. Regular security monitoring and code reviews should be conducted to identify potential injection points, and user access controls should be enforced to limit who can modify DDM structures. Security teams should also implement automated scanning tools to detect and prevent malicious payloads from being injected into system configuration fields. The vulnerability highlights the importance of proper input validation and output encoding in web applications, particularly in content management systems where user-generated content is processed and displayed. Organizations should also consider implementing web application firewalls and monitoring solutions that can detect and block suspicious script injection attempts in real-time.

Responsible

Liferay

Reservation

04/17/2025

Disclosure

08/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00166

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!