CVE-2025-43741
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in Liferay Portal/DXP allows authenticated attackers to inject malicious JavaScript via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames parameter. This affects users of Liferay Portal 7.4.0-7.4.3.132 and multiple Liferay DXP versions from 2024.Q1.1 through 2025.Q1.3. Attackers must be authenticated to exploit this vulnerability.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker steals administrator session cookies, performs account takeover, and executes administrative actions on behalf of legitimate users.
Likely Case
Attacker steals session cookies from authenticated users, leading to unauthorized access to user accounts and potential data exposure.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access and user interaction (victim must click malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.133+; Liferay DXP 2025.Q1.4+, 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.15+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43741
Restart Required: No
Instructions:
1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack according to Liferay's deployment documentation. 3. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a servlet filter or WAF rule to sanitize the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames parameter
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Disable or restrict access to the UsersAdminPortlet for non-administrative users
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel > Configuration > Server Administration > System InformationCheck Version:
Check Liferay build number in Control Panel or via server logsVerify Fix Applied:
Verify installed fix pack version matches or exceeds patched versions listed in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values in _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames containing script tags or JavaScript
Network Indicators:
- HTTP requests with suspicious JavaScript payloads in the assetTagNames parameter
SIEM Query:
source="liferay.log" AND "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")