CVE-2025-43820 is a cross-site scripting (XSS) vulnerability categorized under CWE-79, found in the Calendar widget of Liferay Portal versions 7.4.3.35 through 7.4.3.110 and multiple Liferay DXP versions from 2023.Q3.1 through 2023.Q4.4. The vulnerability arises because the application fails to properly sanitize or encode user-supplied input in the First Name, Middle text, and Last Name fields when inviting users to calendar events. An attacker can craft malicious HTML or JavaScript payloads injected into these fields, which, when rendered in the victim's browser, execute arbitrary scripts. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS 4.0 score of 4.8 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, but requiring user interaction (viewing the malicious event invitation). The vulnerability affects confidentiality and integrity primarily, with limited impact on availability. No patches are currently linked, and no exploits are known in the wild, but the presence of this vulnerability in widely used enterprise portal software necessitates prompt attention. The vulnerability's exploitation scope includes any user who receives and interacts with a malicious calendar invitation, making it a vector for targeted phishing or social engineering attacks within organizations.

For European organizations, this vulnerability poses a risk of client-side compromise through malicious script execution in users' browsers. This can lead to theft of session tokens, unauthorized access to sensitive portal resources, and potential lateral movement within corporate networks if attackers leverage stolen credentials or session data. Organizations relying on Liferay Portal for internal collaboration, document management, or customer engagement may face data confidentiality breaches and reputational damage. The Calendar widget is commonly used for scheduling and event management, so exploitation could also disrupt business workflows or be used to deliver further malware payloads. Given the medium severity and the need for user interaction, the impact is significant but not catastrophic; however, targeted spear-phishing campaigns exploiting this vulnerability could be effective against high-value targets. The lack of known exploits in the wild suggests a window of opportunity for defenders to remediate before widespread attacks occur.

European organizations should immediately assess their Liferay Portal and DXP versions to identify affected instances. Although no official patches are linked yet, organizations should implement strict input validation and output encoding on the Calendar widget's user name fields to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Disable or restrict the Calendar invitation feature if not critical, or limit invitations to trusted users only. Conduct user awareness training to recognize suspicious calendar invitations and avoid interacting with untrusted event content. Monitor web application logs for unusual input patterns or repeated injection attempts. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting these fields. Maintain up-to-date backups and incident response plans to quickly address any compromise stemming from exploitation.