CVE-2025-43811 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, impacting Liferay Portal versions 7.4.3.50 through 7.4.3.111 and multiple Liferay DXP releases from 2023.Q3.1 through 2023.Q4.4. The vulnerability resides in the related asset selector feature, specifically in the handling of the asset author's name fields (First Name, Middle Name, Last Name). Authenticated attackers can inject arbitrary JavaScript or HTML by submitting crafted payloads into these fields, which are then stored and rendered without proper sanitization or encoding. When other users or administrators view the affected asset selector interface, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. The attack vector requires the attacker to be authenticated, but no elevated privileges are necessary, increasing the risk in environments with many authenticated users. The vulnerability has a CVSS 4.8 score, reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited impact on confidentiality and integrity. No public exploits or patches are currently available, emphasizing the need for proactive mitigation. The vulnerability was publicly disclosed on September 29, 2025, and assigned by Liferay. This flaw highlights insufficient input validation and output encoding in the portal's asset selector component, a critical area for user-generated content.

For European organizations, this vulnerability poses a moderate risk primarily to web applications and portals built on affected Liferay versions. Successful exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, leading to session hijacking, theft of sensitive information, or unauthorized portal actions. This can undermine user trust, cause data breaches, and disrupt business operations. Organizations in sectors such as government, finance, healthcare, and education that rely on Liferay Portal for internal or external web services are particularly vulnerable. The requirement for authentication limits exposure but does not eliminate risk, especially in environments with large user bases or weak access controls. Additionally, the stored nature of the XSS increases the likelihood of widespread impact once malicious payloads are injected. The absence of known exploits reduces immediate threat but does not preclude targeted attacks or future exploitation. Overall, the vulnerability can degrade confidentiality and integrity of portal data and user sessions, potentially leading to reputational damage and regulatory compliance issues under GDPR if personal data is compromised.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict user permissions to limit who can edit asset author fields, reducing the attack surface. 2) Employ web application firewalls (WAFs) with rules targeting common XSS payloads to detect and block malicious inputs. 3) Apply strict input validation and output encoding on all user-supplied data, especially in the asset selector component, to prevent script injection. 4) Monitor logs and user activity for unusual patterns indicative of XSS attempts or exploitation. 5) Educate users and administrators about the risks of XSS and safe handling of portal content. 6) Engage with Liferay for official patches or updates and plan timely deployment once available. 7) Consider temporary disabling or restricting the related asset selector feature if feasible until a fix is applied. 8) Conduct penetration testing focused on XSS vectors within the portal environment to identify residual risks. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and operational context.