CVE-2025-43744 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases from 2024.Q1 through 2025.Q2. The vulnerability resides in the Asset Publisher configuration UI within the Source.js module. It arises because DDM (Dynamic Data Mapping) structure field labels are inserted into the DOM using the innerHTML property without proper encoding or sanitization. This allows an attacker to inject arbitrary JavaScript code that is stored persistently and executed in the context of users who access the affected UI components. The vulnerability is classified as CWE-79, indicating improper neutralization of input leading to XSS. The CVSS 4.0 base score is 5.1 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required but user interaction is needed, and the impact on confidentiality and integrity is low to limited, with no impact on availability. Exploitation does not require authentication but does require a victim user to interact with the malicious content. No known exploits are currently reported in the wild. The vulnerability can lead to session hijacking, unauthorized actions on behalf of users, or delivery of malicious payloads within the trusted domain of the Liferay Portal instance.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a moderate risk. Liferay is widely used in enterprise portals, intranets, and customer-facing web applications, including in sectors such as government, finance, education, and healthcare. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of authenticated users, potentially leading to session theft, privilege escalation, or unauthorized data access. This could compromise sensitive personal data protected under GDPR, leading to regulatory penalties and reputational damage. The stored nature of the XSS increases risk as malicious scripts persist and affect multiple users. However, the requirement for user interaction and the limited impact on availability reduce the overall criticality. Still, targeted attacks against high-value portals or administrative users could have significant operational and compliance consequences.

Organizations should prioritize updating Liferay Portal and DXP to patched versions once available from the vendor. In the interim, administrators should restrict access to the Asset Publisher configuration UI to trusted users only, minimizing exposure. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce XSS impact. Conduct thorough input validation and output encoding on all user-supplied data, especially DDM structure field labels, to prevent injection of malicious code. Regularly audit portal configurations and user-generated content for suspicious scripts. Employ web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting Liferay-specific parameters. Educate users about the risks of interacting with untrusted content within the portal. Finally, monitor logs for unusual activity that may indicate exploitation attempts.