CVE-2025-43744
📋 TL;DR
A stored DOM-based XSS vulnerability in Liferay Portal and DXP allows attackers to inject malicious JavaScript via DDM structure field labels in the Asset Publisher configuration UI. This affects Liferay Portal 7.4.0-7.4.3.132 and multiple Liferay DXP versions from 2024.Q1.1 through 2025.Q2.5. Attackers with access to the configuration UI can execute arbitrary code in users' browsers.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking, credential theft, or defacement of the portal interface for users accessing the vulnerable Asset Publisher configuration.
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and user input validation is enforced elsewhere.
🎯 Exploit Status
Exploitation requires authenticated access to the configuration interface; stored nature means payload persists until removed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.133+, Liferay DXP 2025.Q2.6+, 2025.Q1.16+, 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.20+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43744
Restart Required: No
Instructions:
1. Download the appropriate fix pack or hotfix from Liferay's customer portal. 2. Apply the fix following Liferay's update procedures. 3. Verify the update by checking the version number.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd strict CSP headers to prevent execution of inline scripts and restrict script sources.
Add 'Content-Security-Policy: script-src 'self';' to web server configuration
Restrict Access to Asset Publisher Configuration
allLimit which users can access the vulnerable configuration UI through role-based permissions.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for DDM structure field labels in custom code.
- Monitor and audit user activity in Asset Publisher configuration for suspicious modifications.
🔍 How to Verify
Check if Vulnerable:
Check if your Liferay version falls within the affected ranges listed above.Check Version:
Check Liferay's Control Panel → Server Administration → Properties → liferay.versionVerify Fix Applied:
Verify the installed version is patched (e.g., 7.4.3.133+ for Portal) and test Asset Publisher configuration for XSS by attempting to inject script tags.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to DDM structure field labels in Asset Publisher configuration logs
- Multiple failed login attempts followed by configuration access
Network Indicators:
- Unexpected JavaScript payloads in HTTP requests to Asset Publisher endpoints
SIEM Query:
source="liferay.log" AND ("AssetPublisher" OR "DDM structure") AND ("script" OR "javascript:" OR "onerror=")