CVE-2025-43735 is a reflected Cross-Site Scripting (XSS) vulnerability identified in multiple versions of the Liferay Portal and Liferay DXP products, specifically affecting Liferay Portal versions 7.4.0 through 7.4.3.131 and Liferay DXP versions spanning 2024.Q1.1 through 2024.Q4.7, including 7.4 GA through update 92. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing an unauthenticated remote attacker to inject malicious JavaScript code into the 'google_gadget' component of the portal. Reflected XSS vulnerabilities occur when user-supplied input is immediately included in web responses without adequate sanitization or encoding, enabling attackers to craft URLs that execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, credential theft, or redirection to malicious sites. The CVSS 4.0 base score of 6.9 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and limited impact on confidentiality and integrity (VC:L, VI:L), with no impact on availability (VA:N). The scope is limited (SC:L), and there is no requirement for authentication or user interaction, increasing the risk of exploitation. However, as of the publication date, no known exploits are reported in the wild. The vulnerability specifically targets the 'google_gadget' feature, which is used to embed Google Gadgets within the portal, suggesting that any input parameters related to this feature are not properly sanitized before rendering. This flaw can be exploited by crafting malicious URLs that, when visited by a user, execute injected scripts in their browser context. Given the wide usage of Liferay Portal and DXP in enterprise environments for intranet, extranet, and public-facing websites, this vulnerability poses a significant risk if left unpatched. Attackers could leverage this to perform phishing, steal session cookies, or conduct further attacks within the victim's network.

For European organizations, the impact of CVE-2025-43735 can be substantial, especially for those relying on Liferay Portal or DXP for critical web services, intranet portals, or customer-facing applications. Successful exploitation could lead to unauthorized access to user sessions, data leakage, and potential compromise of internal systems if attackers use the XSS as a pivot point. Confidentiality is at risk due to possible theft of authentication tokens or sensitive information displayed on the portal. Integrity could be compromised if attackers inject malicious scripts that alter displayed content or perform unauthorized actions on behalf of users. Availability impact is minimal as the vulnerability does not directly affect service uptime. However, reputational damage and regulatory consequences under GDPR could be severe if personal data is exposed or if the organization fails to remediate promptly. The fact that no authentication or user interaction is required increases the threat surface, as attackers can target any user visiting the vulnerable portal. European organizations with high compliance requirements and public trust, such as government agencies, financial institutions, and healthcare providers, are particularly vulnerable to the fallout from such attacks.

To mitigate CVE-2025-43735, European organizations should immediately identify all instances of Liferay Portal and DXP within their environments and verify the versions in use. Since no patch links are provided in the source, organizations should monitor Liferay's official security advisories for patches or updates addressing this vulnerability and apply them as soon as they become available. In the interim, implement strict input validation and output encoding on all parameters related to the 'google_gadget' component to neutralize potentially malicious input. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameters. Conduct thorough security testing, including automated scanning and manual penetration testing focused on XSS vectors in the portal. Educate users about the risks of clicking unknown links and consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Additionally, review and harden session management practices to limit the impact of potential session hijacking. Regularly audit logs for unusual activity that may indicate exploitation attempts. Finally, consider isolating or restricting access to the portal from untrusted networks until remediation is complete.