CVE-2025-43804
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in Liferay's Search widget that allows attackers to inject malicious scripts via the _com_liferay_portal_search_web_portlet_SearchPortlet_userId parameter. It affects users of Liferay Portal 7.4.3.93-7.4.3.111 and Liferay DXP 2023.Q4.0, 2023.Q3.1-2023.Q3.4 who access the search functionality.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deface the portal interface.
Likely Case
Session hijacking, credential theft, or limited client-side attacks against users who click malicious links.
If Mitigated
Minimal impact if proper input validation, output encoding, and Content Security Policy are implemented.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.112+, Liferay DXP 2023.Q4.1+, 2023.Q3.5+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43804
Restart Required: No
Instructions:
1. Backup your Liferay instance. 2. Download the appropriate fix pack from Liferay's customer portal. 3. Apply the fix pack following Liferay's deployment guide. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a servlet filter to sanitize the _com_liferay_portal_search_web_portlet_SearchPortlet_userId parameter
WAF Rule
allDeploy a web application firewall rule to block requests containing script tags or JavaScript in the userId parameter
🧯 If You Can't Patch
- Disable the Search widget if not essential
- Implement strict Content Security Policy headers
🔍 How to Verify
Check if Vulnerable:
Test by accessing the search page with a payload like: /search?p_p_id=com_liferay_portal_search_web_portlet_SearchPortlet&_com_liferay_portal_search_web_portlet_SearchPortlet_userId=<script>alert('XSS')</script>Check Version:
Check Liferay's Control Panel → Server Administration → Properties → liferay.versionVerify Fix Applied:
Repeat the test with the same payload; script should not execute and input should be properly encoded.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing script tags or JavaScript in userId parameter
- Unusual search parameter patterns
Network Indicators:
- HTTP requests with suspicious userId parameter values
- Multiple failed XSS attempts
SIEM Query:
web.url:*search* AND web.param:_com_liferay_portal_search_web_portlet_SearchPortlet_userId:*script*