CVE-2025-43802
📋 TL;DR
This stored XSS vulnerability in Liferay Portal/DXP allows attackers to inject malicious scripts into the externalReferenceCode parameter of custom object API endpoints. When users access affected pages, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. Organizations running affected Liferay versions with custom objects are vulnerable.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full control of the Liferay instance, exfiltrate sensitive data, or deploy ransomware payloads to users' browsers.
Likely Case
Session hijacking of regular users, credential theft via phishing, defacement of web pages, or data exfiltration from user sessions.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires knowledge of custom object names and API access. The stored nature means one successful injection can affect multiple users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.110+, Liferay DXP 2023.Q3.5+, 7.4 update 93+, 7.3 update 36+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43802
Restart Required: No
Instructions:
1. Download the appropriate patch from Liferay's customer portal. 2. Apply the patch using Liferay's patching tool. 3. Verify the patch applied successfully. 4. Test custom object functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a servlet filter or middleware to sanitize externalReferenceCode parameter values before processing.
Implement custom filter in Liferay's web.xml or use OSGi component to intercept /o/c/* requests
Output Encoding
allEnsure all user-controlled data displayed in web pages uses proper HTML encoding.
Use Liferay's HtmlUtil.escape() or equivalent encoding functions in JSPs and templates
🧯 If You Can't Patch
- Disable or restrict access to custom object API endpoints using web application firewall rules
- Implement strict Content Security Policy headers to prevent script execution from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Test by submitting a payload like <script>alert('XSS')</script> to the externalReferenceCode parameter of any /o/c/<object-name> endpoint and check if it executes when viewing affected pages.Check Version:
Check Liferay's Control Panel → Configuration → Server Administration → Properties → liferay.versionVerify Fix Applied:
After patching, repeat the test payload submission and verify it appears as encoded text rather than executing.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /o/c/* endpoints with script-like content in parameters
- Multiple failed login attempts following suspicious API calls
Network Indicators:
- HTTP requests containing <script> tags or javascript: URIs in externalReferenceCode parameter
- Unusual outbound connections from user browsers after accessing Liferay pages
SIEM Query:
source="liferay-logs" AND (uri_path="/o/c/*" AND request_body CONTAINS "<script>" OR "javascript:")