CVE-2025-43822 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, impacting Liferay Portal versions 7.4.3.15 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92. The vulnerability arises from improper neutralization of input during web page generation, specifically in the Terms and Conditions Name text fields associated with Payment Terms and Delivery Terms on the view order page. Attackers with low privileges can inject malicious scripts or HTML by submitting crafted payloads into these fields. When other users view the affected pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction (viewing the malicious page) but does not require authentication, increasing its attack surface. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, but user interaction needed, and low impact on confidentiality and integrity. No public exploits have been reported yet, but the presence of stored XSS in a widely used enterprise portal software poses a significant risk if weaponized. The vulnerability affects web applications that rely on Liferay Portal for content and order management, making it relevant for organizations using these versions in their digital infrastructure.

For European organizations, this vulnerability could lead to unauthorized access to user sessions, data leakage, and manipulation of web content, undermining trust and potentially causing financial and reputational damage. Organizations in sectors such as finance, e-commerce, government, and healthcare that use Liferay Portal for customer-facing or internal portals are particularly at risk. Exploitation could facilitate phishing attacks, spread malware, or enable attackers to escalate privileges within the affected environment. The medium CVSS score reflects moderate impact, but the stored nature of the XSS increases persistence and potential reach. Given the widespread use of Liferay in Europe, especially in countries with strong digital public services and enterprise adoption, the threat could disrupt critical services and compliance with data protection regulations like GDPR if personal data is compromised.

Organizations should immediately identify and inventory all instances of Liferay Portal and DXP running affected versions. Since no official patches are linked yet, temporary mitigations include implementing strict input validation and sanitization on the Terms and Conditions Name fields to block or neutralize script tags and other malicious payloads. Employ output encoding on all user-supplied content before rendering it in the browser to prevent script execution. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Limit user privileges to reduce the risk of malicious input submissions. Monitor logs and web traffic for suspicious activities related to these fields. Plan for prompt application of official patches once released by Liferay. Additionally, educate users about the risks of clicking on suspicious links or interacting with untrusted content within the portal.