CVE-2025-43802 is a stored cross-site scripting (XSS) vulnerability identified in Liferay Portal versions 7.4.3.51 through 7.4.3.109, Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. The vulnerability exists in the /o/c/<object-name> API endpoint of a custom object, specifically via the externalReferenceCode parameter. Improper neutralization of input allows remote attackers to inject arbitrary web scripts or HTML content that is stored and later executed in the context of users accessing the vulnerable endpoint. This is classified under CWE-79, which pertains to improper input sanitization during web page generation, leading to cross-site scripting attacks. The vulnerability requires no authentication but does require user interaction (e.g., a victim visiting a crafted URL or page). The CVSS 4.0 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality and integrity. No known exploits are currently reported in the wild, and no official patches or mitigation links are provided yet. The vulnerability could be leveraged to execute malicious scripts in the browsers of users interacting with the affected Liferay Portal instance, potentially leading to session hijacking, defacement, or redirection to malicious sites.

For European organizations using Liferay Portal, especially those deploying versions within the affected range, this vulnerability poses a risk of client-side script injection that can compromise user sessions, steal sensitive information, or manipulate web content. Organizations in sectors such as government, finance, healthcare, and education that rely on Liferay for their web portals may face reputational damage, data leakage, or regulatory non-compliance if exploited. Since Liferay is often used for intranet portals and customer-facing websites, the attack surface includes both internal employees and external users. The medium severity score indicates moderate risk; however, the ease of exploitation (no authentication required) and the potential for stored XSS to affect multiple users elevate the concern. European data protection regulations (e.g., GDPR) impose strict requirements on protecting personal data, and exploitation of this vulnerability could lead to data breaches triggering regulatory scrutiny and fines.

1. Immediate mitigation should include implementing strict input validation and output encoding on the externalReferenceCode parameter within the /o/c/<object-name> API endpoint to neutralize malicious scripts. 2. Deploy web application firewalls (WAFs) with rules targeting typical XSS payloads to detect and block exploit attempts. 3. Restrict or monitor usage of custom objects and API endpoints that accept user input, applying least privilege principles. 4. Educate users to be cautious about clicking on suspicious links or interacting with untrusted content served by the portal. 5. Monitor logs for unusual activity or injection attempts targeting the vulnerable endpoint. 6. Coordinate with Liferay for official patches or updates and plan prompt deployment once available. 7. Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the portal. 8. Conduct regular security assessments and penetration testing focused on web application vulnerabilities including XSS.