CVE-2025-43794 is a stored cross-site scripting (XSS) vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, including 7.4.0 through 7.4.3.111, and various older unsupported versions. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79). Specifically, remote attackers who have authenticated access with the instance administrator role can inject arbitrary web scripts or HTML code into all pages by exploiting crafted payloads inserted into the Instance Configuration's CDN Host HTTP or HTTPS text fields. This stored XSS flaw allows malicious scripts to persist in the application and execute in the browsers of users who visit affected pages, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability does not require user interaction beyond visiting the compromised pages but does require high privileges (instance administrator role) to inject the payload. The CVSS v4.0 score is 4.6 (medium severity), reflecting network attack vector, low complexity, no privileges required for exploitation, but requiring high privileges (PR:H) and user interaction (UI:A) to trigger. No known exploits are currently reported in the wild, and no official patches or updates are linked in the provided data, indicating that mitigation may require vendor updates or configuration changes.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a moderate risk. Since exploitation requires an attacker to have instance administrator privileges, the primary risk is insider threats or compromised administrator accounts. If exploited, attackers can inject malicious scripts that execute in the context of the web application, potentially leading to theft of sensitive information, session hijacking, or further compromise of user accounts. This can impact confidentiality and integrity of data, as well as user trust. Given Liferay's popularity in enterprise portals, intranets, and customer-facing websites across Europe, exploitation could disrupt business operations and damage reputations. The vulnerability's impact on availability is limited, but the potential for data leakage and unauthorized actions is significant. Organizations with strict regulatory requirements, such as GDPR, may face compliance risks if personal data is exposed through such attacks.

To mitigate CVE-2025-43794, European organizations should: 1) Immediately review and restrict access to instance administrator roles to trusted personnel only, implementing strict access controls and multi-factor authentication to reduce risk of credential compromise. 2) Audit and sanitize all inputs in the Instance Configuration, especially the CDN Host HTTP and HTTPS fields, to ensure no malicious scripts are stored. 3) Monitor logs and web traffic for unusual activity indicative of XSS payload injections or exploitation attempts. 4) Apply any available vendor patches or updates as soon as they are released by Liferay. 5) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6) Educate administrators on secure configuration practices and the risks of stored XSS vulnerabilities. 7) Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting Liferay portals. These steps go beyond generic advice by focusing on role-based access control, input validation in specific configuration fields, and layered defenses tailored to the vulnerability's characteristics.