CVE-2025-43807 is a stored cross-site scripting (XSS) vulnerability identified in the notifications widget of Liferay Portal versions 7.4.0 through 7.4.3.112 and multiple versions of Liferay DXP (2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92). The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), specifically allowing remote attackers to inject arbitrary web scripts or HTML code via a crafted payload inserted into the “Name” text field of a publication. Because this is a stored XSS, the malicious script is saved on the server and executed in the browsers of users who view the affected notifications widget, potentially leading to session hijacking, credential theft, or unauthorized actions performed in the context of the victim user. The CVSS 4.0 base score is 4.8 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary (victim must view the malicious content). The impact on confidentiality, integrity, and availability is limited but non-negligible, as the vulnerability primarily threatens confidentiality and integrity through script execution in user browsers. No known exploits in the wild have been reported yet, and no official patches are linked in the provided data, indicating that mitigation may require vendor updates or manual remediation. The vulnerability affects a widely used enterprise portal platform, which is often deployed for intranet, extranet, and public-facing web portals, making it a relevant concern for organizations relying on Liferay for content management and collaboration.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of client-side attacks that can compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of users. Given that Liferay is commonly used in government, education, healthcare, and large enterprises across Europe, exploitation could lead to data breaches, loss of user trust, and regulatory non-compliance, especially under GDPR requirements concerning personal data protection. The stored nature of the XSS means that once a malicious payload is injected, it can affect multiple users until remediated, increasing the potential damage. Attackers could leverage this vulnerability to target privileged users or administrators, escalating the impact. Although the CVSS score is medium, the real-world impact could be significant if exploited in sensitive environments. Additionally, the requirement for user interaction (viewing the malicious notification) means social engineering or phishing tactics might be used to increase success rates. The absence of known exploits suggests a window of opportunity for proactive defense, but also means organizations should act promptly to prevent future attacks.

European organizations should prioritize the following mitigations: 1) Apply official patches or updates from Liferay as soon as they become available to address the vulnerability directly. 2) Implement strict input validation and output encoding on the 'Name' text field and other user-controllable inputs within the notifications widget to prevent injection of malicious scripts. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, limiting the impact of any injected code. 4) Conduct regular security audits and penetration testing focused on web application inputs and stored content to identify similar vulnerabilities proactively. 5) Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with notifications or user-generated content. 6) Monitor logs and web traffic for unusual activity that could indicate exploitation attempts. 7) If patching is delayed, consider temporarily disabling or restricting access to the notifications widget or the affected input fields to reduce exposure. These measures, combined, will reduce the likelihood and impact of exploitation beyond generic advice.