CVE-2025-43802 is a stored cross-site scripting (XSS) vulnerability identified in Liferay Portal versions 7.4.3.51 through 7.4.3.109, and Liferay DXP versions 2023.Q3.1 through 2023.Q3.4, as well as specific updates in 7.4 and 7.3 branches. The vulnerability arises from improper neutralization of user-supplied input in the externalReferenceCode parameter within the /o/c/<object-name> API endpoint of custom objects. An attacker can exploit this flaw by injecting arbitrary web scripts or HTML code that gets stored and subsequently executed in the context of users accessing the affected endpoint. This stored XSS can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The vulnerability requires no authentication but does require user interaction (victim visiting a crafted page or API response). The CVSS 4.0 score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality and integrity. No known exploits in the wild have been reported yet. The vulnerability affects a widely used enterprise portal platform that integrates web content management, collaboration, and business process management, often deployed in corporate intranets and public-facing portals.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of client-side script injection that can compromise user sessions, leak sensitive information, or enable unauthorized actions within the portal environment. Given Liferay's popularity among government agencies, educational institutions, and enterprises in Europe for intranet and extranet portals, exploitation could lead to data breaches or disruption of business processes. Attackers could leverage this vulnerability to target employees or partners through crafted URLs or embedded content, potentially gaining footholds for further attacks or espionage. The medium severity rating suggests moderate risk, but the impact can escalate if combined with social engineering or chained with other vulnerabilities. Organizations handling sensitive personal data under GDPR must consider the compliance implications of any data leakage resulting from such attacks.

Organizations should prioritize applying vendor patches or updates once available, as no official patch links are currently provided. In the interim, implement strict input validation and output encoding on the externalReferenceCode parameter in custom object APIs to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Enable web application firewalls (WAFs) with rules targeting common XSS payloads, specifically monitoring the /o/c/ API endpoints. Conduct thorough code reviews of custom objects and API endpoints to identify and remediate unsafe input handling. Educate users to recognize suspicious links or content and encourage reporting of anomalous portal behavior. Regularly monitor logs for unusual requests or error patterns related to the affected endpoints. Finally, consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts dynamically.