CVE-2025-43821 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Commerce Product Comparison Table widget of Liferay Portal and Liferay DXP versions ranging from 7.4.0 to 7.4.3.111 and various 2023 Q3 and Q4 releases. The vulnerability arises due to improper neutralization of input during web page generation, specifically when processing the Commerce Product's Name text field. An attacker with low privileges can craft a malicious payload injected into this field, which is then rendered without adequate sanitization or encoding, allowing arbitrary HTML or JavaScript execution in the victim's browser. The CVSS 4.0 score is 4.8 (medium), reflecting network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The impact vector includes limited confidentiality and integrity impact, with no availability or authentication requirements. No public exploits have been reported yet, but the vulnerability poses a risk of session hijacking, phishing, or unauthorized actions within the portal. The lack of patch links suggests that fixes may be pending or require vendor coordination. This vulnerability is particularly relevant for organizations using Liferay's commerce features, as the product comparison widget is a common component in e-commerce portals. The vulnerability's exploitation could be leveraged in targeted attacks against users interacting with affected portals.

For European organizations, this vulnerability could lead to targeted cross-site scripting attacks against users of Liferay-based e-commerce portals, potentially resulting in session hijacking, credential theft, or unauthorized actions performed on behalf of users. This can damage customer trust, lead to data breaches, and cause regulatory compliance issues under GDPR due to exposure of personal data. The medium severity indicates moderate risk, but the ease of exploitation combined with user interaction means phishing or social engineering campaigns could amplify impact. Organizations relying on Liferay Portal for product comparison or commerce features are particularly vulnerable. The impact extends to both internal users and external customers, affecting business continuity and reputation. Additionally, attackers could use this vulnerability as a foothold for further attacks within the network if administrative users are targeted. The lack of known exploits reduces immediate risk but should not lead to complacency.

1. Apply official patches or updates from Liferay as soon as they become available to address CVE-2025-43821. 2. Until patches are deployed, disable or restrict access to the Commerce Product Comparison Table widget to prevent injection vectors. 3. Implement strict input validation and sanitization on the Commerce Product Name field, ensuring that HTML and script tags are either escaped or removed. 4. Employ robust output encoding when rendering user-supplied data in web pages to prevent script execution. 5. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the portal. 6. Conduct security awareness training for users to recognize suspicious inputs or phishing attempts that might exploit this vulnerability. 7. Monitor web application logs for unusual input patterns or repeated injection attempts targeting the product name field. 8. Consider deploying web application firewalls (WAF) with rules tailored to detect and block XSS payloads specific to Liferay's commerce widgets. 9. Review and limit user privileges to minimize the ability of attackers to inject malicious content. 10. Perform regular security assessments and code reviews focusing on input handling in custom or third-party widgets.