CVE-2025-43755 is a stored cross-site scripting (XSS) vulnerability affecting multiple versions of the Liferay Portal and Liferay DXP products, specifically versions 7.4.0 through 7.4.3.132, and various quarterly releases from 2024.Q1 through 2025.Q2. The vulnerability resides in the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter, which improperly sanitizes input, allowing a remote authenticated attacker to inject malicious JavaScript code. Because this is a stored XSS, the injected script is saved on the server and executed in the browsers of users who access the affected pages, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the portal. The CVSS 4.0 base score is 5.1 (medium severity), reflecting that the attack vector is network-based, requires high privileges (authenticated user with elevated rights), no user interaction is needed, and the impact on confidentiality and integrity is low to limited, with availability unaffected. The vulnerability does not currently have known exploits in the wild, but the presence of stored XSS in a widely used enterprise portal platform poses a significant risk if weaponized. The vulnerability affects a broad range of Liferay versions, including long-term support releases, indicating that many organizations may be exposed if they have not applied patches or mitigations. The lack of available patches at the time of reporting increases the urgency for organizations to implement compensating controls.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability could lead to unauthorized execution of malicious scripts within the context of the portal application. This can compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of legitimate users, especially given the requirement for high privilege authentication. Since Liferay is commonly used for intranet portals, customer-facing websites, and collaboration platforms, exploitation could disrupt business operations, lead to data breaches, and damage organizational reputation. The medium severity score suggests that while the impact is not catastrophic, it is significant enough to warrant immediate attention. European organizations in sectors such as finance, government, healthcare, and telecommunications, which often rely on Liferay for critical internal and external services, could face regulatory scrutiny under GDPR if personal data is compromised. Additionally, stored XSS vulnerabilities can be leveraged as a foothold for further attacks, including phishing or lateral movement within networks.

1. Immediate mitigation should include restricting access to the affected portlet and parameter to only the most trusted and necessary users, minimizing the attack surface. 2. Apply strict input validation and output encoding on the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter to prevent injection of malicious scripts. 3. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the portal. 4. Monitor logs for unusual activity related to the GroupPagesPortlet and review user actions for signs of exploitation attempts. 5. If patches become available, prioritize their deployment in test environments followed by production, ensuring compatibility and stability. 6. Educate administrators and users about the risks of XSS and the importance of reporting suspicious behavior. 7. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block attempts to exploit this specific parameter. 8. Conduct regular security assessments and penetration tests focusing on portal components to identify and remediate similar vulnerabilities proactively.