CVE-2025-43774 is a reflected Cross-Site Scripting (XSS) vulnerability identified in Liferay Portal version 7.4.3.132 and Liferay DXP versions from 2025.Q1.0 through 2025.Q1.17. This vulnerability arises due to insufficient sanitization of user input in the Style Book theme name parameter. An authenticated remote attacker can inject malicious JavaScript code into this parameter, which is then reflected back and executed in the context of the victim user's browser session. Since the vulnerability requires authenticated access, the attacker must have valid credentials or leverage compromised accounts to exploit it. The reflected nature of the XSS means the payload is not stored persistently but executed immediately when a crafted URL or request is accessed. The CVSS v4.0 base score is 2.1, indicating a low severity primarily due to the high attack complexity and requirement for privileges. However, even low-severity XSS vulnerabilities can be leveraged for session hijacking, privilege escalation, or delivering further attacks such as phishing or malware distribution within the affected portal environment. Liferay Portal is a widely used enterprise web platform for building corporate intranets, websites, and digital experiences, making this vulnerability relevant for organizations relying on this software for internal or external-facing services. No known public exploits or patches are currently available as of the published date, but the vulnerability is publicly disclosed and should be addressed promptly to prevent potential exploitation.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Since the attack requires authenticated access, the threat is more significant in environments with weak credential management or where insider threats exist. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, unauthorized actions on behalf of users, or the spread of malware. This can disrupt business operations, damage reputation, and lead to compliance issues, especially under GDPR where data breaches must be reported. The impact is heightened in sectors with sensitive data such as finance, healthcare, and government institutions that use Liferay for their portals. Although the CVSS score is low, the ease of exploiting XSS vulnerabilities in social engineering campaigns or targeted attacks means organizations should not underestimate the risk. The lack of known exploits currently reduces immediate risk but also means organizations should proactively patch or mitigate to avoid future exploitation.

1. Immediate mitigation involves restricting access to the Style Book theme name functionality to only highly trusted users and monitoring for unusual activity related to theme changes. 2. Implement strict input validation and output encoding on all user-supplied data, especially the Style Book theme name parameter, to prevent injection of malicious scripts. 3. Apply Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the portal. 4. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of compromised credentials being used to exploit this vulnerability. 5. Regularly audit user privileges and remove unnecessary access rights to minimize the attack surface. 6. Monitor logs for suspicious requests containing script payloads targeting the Style Book theme name parameter. 7. Stay updated with Liferay vendor advisories and apply patches promptly once available. 8. Educate users about phishing and social engineering tactics that could be used to exploit this vulnerability.