CVE-2025-43741 is a reflected Cross-Site Scripting (XSS) vulnerability identified in multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases of Liferay DXP from 2024.Q1.1 through 2025.Q1.3. The vulnerability arises due to improper neutralization of user-supplied input in the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames parameter. This flaw allows a remote authenticated attacker to inject malicious JavaScript code into web pages generated by the portal. When a victim user accesses the crafted URL or page, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability requires the attacker to be authenticated, which limits exploitation to users with some level of access to the portal. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and partial impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. The affected parameter is part of the Users Admin portlet, indicating that the vulnerability could be exploited in administrative or user management contexts within the portal.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a moderate risk. Liferay is widely used in enterprise intranets, public sector portals, and customer-facing web applications across Europe. Exploitation could lead to unauthorized actions performed by attackers leveraging authenticated user sessions, potentially exposing sensitive user data or allowing privilege escalation within the portal environment. Given the requirement for authentication, the threat is more pronounced in environments with weak access controls or where user credentials might be compromised or shared. The reflected XSS could also be used as a stepping stone for social engineering attacks targeting employees or customers, undermining trust and potentially leading to data breaches or compliance violations under GDPR. Additionally, disruption or manipulation of user management functions could impact operational continuity. The medium severity score suggests that while the vulnerability is not critical, it should be addressed promptly to prevent exploitation, especially in sectors with high regulatory scrutiny such as finance, healthcare, and government institutions in Europe.

To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict access to the Users Admin portlet to only necessary personnel, enforcing the principle of least privilege. 2) Implement strict input validation and output encoding on the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames parameter to neutralize any injected scripts. 3) Monitor portal logs for unusual or suspicious requests targeting this parameter, which could indicate attempted exploitation. 4) Apply any forthcoming official patches or updates from Liferay as soon as they become available. 5) Educate authenticated users about the risks of clicking on suspicious links, as user interaction is required for exploitation. 6) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block reflected XSS payloads targeting this parameter. 7) Conduct regular security assessments and penetration testing focused on portal components to identify and remediate similar vulnerabilities proactively.