CVE-2025-43744 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases from 2024.Q1 through 2025.Q2. The vulnerability resides in the Asset Publisher configuration UI within the Source.js module. It arises because DDM (Dynamic Data Mapping) structure field labels are inserted into the Document Object Model (DOM) using the innerHTML property without proper encoding or sanitization. This improper handling allows an attacker to inject arbitrary JavaScript code that will be stored and later executed in the context of users viewing the affected UI components. Since the vulnerability is stored, the malicious script persists and can impact multiple users over time. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and does not require privileges but does require user interaction (e.g., a user viewing the malicious content). The vulnerability impacts confidentiality and integrity at a limited scope, with no direct impact on availability. No known exploits are reported in the wild yet, but the presence of this vulnerability in widely used versions of Liferay Portal, a popular enterprise web platform, makes it a significant concern for organizations relying on this software for content management and portal services.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of unauthorized script execution within their web portals. This can lead to session hijacking, theft of sensitive information such as cookies or authentication tokens, and potentially unauthorized actions performed on behalf of legitimate users. Given that Liferay is often used for intranet portals, customer-facing websites, and collaboration platforms, exploitation could compromise user data confidentiality and integrity. The stored nature of the XSS increases the risk as malicious scripts persist and affect multiple users over time. This could lead to reputational damage, regulatory non-compliance (especially under GDPR if personal data is exposed), and operational disruptions. The medium severity suggests that while the vulnerability is not trivial, it requires some user interaction and does not allow full system compromise directly. However, chained with other vulnerabilities or social engineering, the impact could escalate. European organizations with public-facing Liferay portals or internal portals accessible via browsers are particularly at risk.

Organizations should prioritize applying patches or updates from Liferay as soon as they become available to address this vulnerability. In the absence of immediate patches, administrators should review and restrict the ability to create or modify DDM structure field labels, especially by untrusted users. Implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Additionally, input validation and output encoding should be enforced at the application layer to prevent injection of malicious scripts. Regular security audits and penetration testing focusing on XSS vulnerabilities in portal configurations are recommended. Monitoring web application logs for unusual input patterns or script injections can provide early detection. User education to recognize suspicious portal behavior and limiting user privileges to only necessary roles can reduce exploitation likelihood. Finally, consider using web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting Liferay portals.