CVE-2025-43737 is a reflected Cross-Site Scripting (XSS) vulnerability identified in Liferay Portal versions 7.4.3.132 and Liferay DXP versions from 2025.Q1.0 through 2025.Q1.15 and 2025.Q2.0 through 2025.Q2.8. This vulnerability arises from improper sanitization of user input in the _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter, which allows a remote authenticated user to inject malicious JavaScript code. Reflected XSS vulnerabilities occur when untrusted input is immediately returned in a web response without proper encoding or validation, enabling attackers to execute arbitrary scripts in the context of the victim's browser session. In this case, the attacker must be authenticated, which limits the attack surface to users with valid credentials. The CVSS 4.0 base score is 5.1 (medium severity), reflecting that the attack vector is network-based, with low attack complexity, no privileges required beyond authentication, and user interaction is necessary. The vulnerability impacts confidentiality and integrity at a low level, as the injected scripts could be used to steal session tokens, perform actions on behalf of the user, or manipulate displayed content. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. This vulnerability is categorized under CWE-79, which is a common and well-understood web application security weakness related to improper neutralization of input during web page generation.

For European organizations using Liferay Portal or Liferay DXP in the affected versions, this vulnerability poses a risk primarily to internal users or partners who have authenticated access to the portal. Successful exploitation could lead to session hijacking, unauthorized actions performed with the victim's privileges, or the spread of malicious payloads within the organization's intranet. This could result in data leakage, unauthorized data modification, or reputational damage. Since Liferay Portal is widely used for enterprise content management, intranet portals, and customer-facing web applications, the impact could extend to sensitive business information and user data. The medium severity score reflects that while the vulnerability requires authentication and user interaction, the potential for lateral movement and privilege escalation within an organization exists if combined with other vulnerabilities or social engineering. Additionally, the lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability details are public.

Organizations should prioritize upgrading to patched versions of Liferay Portal and DXP once they become available. In the interim, administrators should implement strict input validation and output encoding on the _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter to neutralize malicious scripts. Web Application Firewalls (WAFs) can be configured to detect and block suspicious payloads targeting this parameter. Additionally, enforcing strong authentication mechanisms and monitoring user activity for anomalous behavior can help detect exploitation attempts. Security teams should conduct regular security assessments and penetration tests focusing on XSS vulnerabilities within the portal. Educating users about phishing and social engineering risks is also important since user interaction is required for exploitation. Finally, reviewing and minimizing the number of users with portal access can reduce the attack surface.