CVE-2025-43822 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in Liferay Portal versions 7.4.3.15 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92. The vulnerability arises from improper neutralization of input during web page generation, specifically in the Terms and Conditions Name text fields associated with Payment Terms and Delivery Terms on the view order page. Attackers can inject malicious JavaScript or HTML payloads that are stored and later executed in the context of users viewing the affected pages. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:A), and low impact on confidentiality and integrity (VC:L, VI:L), with no impact on availability. The vulnerability does not require authentication but does require some user interaction, such as a victim viewing a crafted order page. No public exploits are currently known, but the presence of stored XSS in critical e-commerce components poses a significant risk if weaponized. The vulnerability was reserved in April 2025 and published in October 2025, with no patch links provided yet, indicating that remediation may still be pending or in progress.

For European organizations, this vulnerability poses a risk primarily to web applications built on Liferay Portal or DXP that handle order management or e-commerce workflows. Successful exploitation could allow attackers to execute arbitrary scripts in the context of legitimate users, potentially leading to theft of session cookies, user credentials, or manipulation of order data. This could result in unauthorized transactions, data breaches, or reputational damage. Given the medium severity and the requirement for user interaction, the impact is moderate but could escalate if combined with social engineering. Organizations in sectors such as retail, finance, and public services that rely on Liferay for customer-facing portals are particularly at risk. The vulnerability could also be leveraged as a foothold for further attacks within internal networks if attackers gain access through compromised user accounts. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure.

European organizations should immediately assess their Liferay Portal and DXP deployments to identify affected versions. Until official patches are released, implement strict input validation and sanitization on the Terms and Conditions Name fields to prevent injection of malicious scripts. Employ context-aware output encoding on all user-supplied content rendered in web pages, especially in order-related views. Utilize Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Limit user privileges to reduce the risk of malicious input submissions. Monitor web application logs for unusual or suspicious input patterns targeting the vulnerable fields. Educate users about phishing and social engineering risks that could facilitate exploitation. Plan for timely application of vendor patches once available and conduct thorough testing to ensure the vulnerability is fully remediated. Consider deploying web application firewalls (WAFs) with rules targeting common XSS payloads as an interim protective measure.