CVE-2025-43804 is a Cross-site Scripting (XSS) vulnerability identified in the Search widget component of Liferay Portal versions 7.4.3.93 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4. The vulnerability arises due to improper neutralization of input during web page generation, specifically through the _com_liferay_portal_search_web_portlet_SearchPortlet_userId parameter. This allows remote attackers to inject arbitrary web scripts or HTML content into the affected web pages. The injection occurs without requiring authentication, and the attack vector is network accessible (AV:N), with low attack complexity (AC:L). However, user interaction is required (UI:A) for the malicious script to execute, typically when a victim visits a crafted page or interacts with the vulnerable search widget. The vulnerability impacts the confidentiality and integrity of user sessions by enabling potential theft of cookies, session tokens, or other sensitive information, and can also be used to perform actions on behalf of the user (session hijacking or defacement). The CVSS 4.0 base score is 5.1, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches are linked yet, which suggests that organizations using affected Liferay Portal versions should prioritize mitigation to prevent exploitation. The vulnerability is categorized under CWE-79, a common and well-understood web application security flaw related to improper input sanitization and output encoding.

For European organizations, the impact of this XSS vulnerability can be significant, especially for those relying on Liferay Portal for intranet, extranet, or public-facing websites. Successful exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, defacement of web content, or distribution of malware through injected scripts. This can result in reputational damage, loss of user trust, potential data breaches, and compliance issues under regulations such as GDPR if personal data is compromised. Since Liferay Portal is often used by enterprises, government agencies, and public institutions across Europe, the risk extends to critical sectors including finance, healthcare, and public administration. The requirement for user interaction somewhat limits automated exploitation but does not eliminate risk, as social engineering or phishing can be used to lure users into triggering the malicious payload. The absence of known exploits currently provides a window for proactive defense, but the medium severity score indicates that the vulnerability should not be underestimated.

1. Immediate mitigation should include applying any available patches or updates from Liferay as soon as they are released. Since no patch links are currently provided, organizations should monitor Liferay’s official security advisories closely. 2. Implement strict input validation and output encoding on the _com_liferay_portal_search_web_portlet_SearchPortlet_userId parameter to neutralize potentially malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4. Conduct regular security assessments and penetration testing focused on web application vulnerabilities, including XSS. 5. Educate users about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful social engineering. 6. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting Liferay Portal. 7. Review and harden session management practices, including setting HttpOnly and Secure flags on cookies to mitigate session hijacking risks. 8. Consider isolating or restricting access to the vulnerable search widget if immediate patching is not feasible, possibly by disabling the widget or limiting its usage to trusted users only.