CVE-2025-43765 is a stored cross-site scripting (XSS) vulnerability affecting multiple versions of the Liferay Portal and Liferay DXP products, specifically versions 7.4.0 through 7.4.3.131 and various 2024 quarterly releases of Liferay DXP. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing a remote, unauthenticated attacker to inject malicious JavaScript code into text fields within web content. Because the injected script is stored persistently on the server, it can be executed in the browsers of users who view the affected content, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The CVSS 4.0 base score is 6.9 (medium severity), reflecting that the attack vector is network-based (no physical or local access required), no privileges or authentication are needed, and no user interaction is necessary for exploitation. However, the impact on confidentiality and integrity is limited to low, and availability impact is none. The scope is limited to the vulnerable Liferay Portal instances. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be considered a credible risk. Liferay Portal is a widely used enterprise web platform for building portals, intranets, and websites, making this vulnerability relevant for organizations relying on these versions for their web infrastructure.

For European organizations using the affected Liferay Portal and DXP versions, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data confidentiality. Attackers could leverage the stored XSS to execute arbitrary scripts in the context of the victim's browser, potentially stealing authentication cookies, redirecting users to malicious sites, or performing unauthorized actions with the victim's privileges. This can lead to data breaches, unauthorized access to sensitive information, and reputational damage. Given that Liferay is often used in government, education, and enterprise environments across Europe, exploitation could impact critical services and internal portals. The fact that no authentication is required lowers the barrier for attackers, increasing the risk of widespread exploitation if unpatched systems are exposed to the internet. However, the limited impact on availability and the medium severity score suggest that while serious, the vulnerability is not likely to cause direct service outages or full system compromise by itself.

European organizations should immediately identify all instances of Liferay Portal and DXP running affected versions (7.4.0 through 7.4.3.131 and the specified 2024 quarterly releases). Since no official patches or updates are linked in the provided data, organizations should monitor Liferay's official security advisories for patches addressing CVE-2025-43765 and apply them promptly once available. In the interim, organizations can mitigate risk by implementing strict input validation and output encoding on web content fields to prevent script injection. Web application firewalls (WAFs) should be configured to detect and block common XSS payloads targeting Liferay portals. Additionally, restricting public access to administrative or content management interfaces and enforcing least privilege principles can reduce exposure. Regular security audits and user awareness training to recognize phishing or suspicious redirects can further reduce impact. Finally, organizations should consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the portal.