CVE-2025-43735
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote unauthenticated attackers to inject malicious JavaScript via the google_gadget parameter. This affects users of Liferay Portal 7.4.0-7.4.3.131 and multiple Liferay DXP versions from 2024.Q1 through 2024.Q4. Attackers can execute arbitrary JavaScript in victims' browsers when they click malicious links.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via drive-by downloads.
Likely Case
Session hijacking, credential theft, or defacement of the affected page through injected content.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) but is straightforward for attackers with basic web skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.132 or later; Liferay DXP 2024.Q4.8 or later, 2024.Q3.14 or later, 2024.Q2.14 or later, 2024.Q1.13 or later, and 7.4 update 93 or later
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43735
Restart Required: No
Instructions:
1. Download the latest patch from the Liferay customer portal. 2. Apply the patch according to Liferay's patching guide. 3. Verify the fix by testing the google_gadget parameter.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a web application firewall (WAF) or custom filter to sanitize the google_gadget parameter by blocking or encoding script tags and JavaScript content.
🧯 If You Can't Patch
- Disable or restrict access to the google_gadget feature if not required.
- Implement Content Security Policy (CSP) headers to mitigate XSS impact by restricting script execution.
🔍 How to Verify
Check if Vulnerable:
Test by injecting a simple script payload into the google_gadget parameter (e.g., <script>alert('XSS')</script>) and check if it executes in the browser.Check Version:
Check the Liferay version via the Control Panel under Server Administration → System Information, or run a database query if accessible.Verify Fix Applied:
After patching, repeat the vulnerability test; the script should be properly encoded or blocked, and no alert should appear.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to URLs containing the google_gadget parameter with script-like payloads in access logs.
Network Indicators:
- HTTP requests with suspicious parameters (e.g., containing <script> tags) to Liferay endpoints.
SIEM Query:
source="liferay_access_logs" AND uri="*google_gadget*" AND (payload="*<script>*" OR payload="*javascript:*")