July 6, 2026
CVE-2025–43807: Stored Cross-Site Scripting (XSS) Vulnerability in Liferay Portal Explained
Enterprise portal platforms are trusted environments. Administrators, content editors, and privileged users interact with them daily, often…

By Loginsoft
3 min read
Enterprise portal platforms are trusted environments. Administrators, content editors, and privileged users interact with them daily, often with elevated access to sensitive data and internal systems. That trust is precisely what makes a stored XSS vulnerability in a platform like Liferay Portal so consequential. CVE-2025–43807 is not a theoretical risk. It is a persistent, server-side script injection flaw that executes silently in the browsers of every user who views a compromised notification.
What CVE-2025–43807 Is and Which Liferay Versions Are Affected
CVE-2025–43807 is a stored cross-site scripting vulnerability (CWE-79) in Liferay Portal and Liferay DXP, carrying a CVSS v4.0 score of 4.8. It affects Liferay Portal versions 7.4.0 through 7.4.3.112 and multiple Liferay DXP releases including 7.4, 2023.Q3.1 through 10, and 2023.Q4.0 through 8.
The flaw resides in the Publications feature, specifically in how publication invitation notifications are rendered in the notifications widget. When a publication's "Name" field is displayed in the widget, user-supplied input is passed through without proper output encoding, creating a persistent injection point that executes in any affected user's browser on page load.
How the Liferay Portal Stored XSS Vulnerability Works
The attack flow is straightforward for any authenticated user with access to the Publications feature. An attacker creates or edits a publication and injects a malicious payload into the "Name" text field, for example a script tag designed to capture session cookies. When another user, potentially one with higher privileges, receives and views the publication invitation notification, the unsanitized payload executes directly in their browser session.
This is what separates stored XSS from reflected XSS: the malicious script is saved on the server and re-executed every time the affected content is loaded, without any additional attacker interaction required. A single injection can persist across multiple victim sessions until the content is removed, or the patch is applied.
Real-World Security Impact of CVE-2025–43807 in Enterprise Environments
The practical impact of a Liferay XSS vulnerability in an enterprise context extends well beyond a proof-of-concept script alert. Successful exploitation enables session hijacking and account takeover when authentication cookies are captured, theft of sensitive data displayed within the portal, phishing attacks that target administrators or privileged users through manipulated portal content, lateral movement within organizations using Liferay for intranets or digital workplaces, and compliance exposure in regulated industries where unauthorized data access carries reporting obligations.
The authentication requirement reduces the risk of mass exploitation from anonymous attackers, but it does not protect against insider threats, compromised low-privilege accounts, or targeted attacks where an adversary has already obtained basic access to the environment.
Patched Versions and Official Fix for CVE-2025–43807
The vulnerability has been resolved in Liferay Portal 7.4.3.113 and later, and in Liferay DXP versions 2024.Q2.0, 2024.Q1.1, and 2023.Q4.9 with corresponding updates. The fix addresses the root cause by adding proper output encoding to publication names before they are rendered in the notification widget, ensuring injected scripts are treated as text rather than executable content.
Organizations still running affected versions should apply the latest patches through Liferay's standard update mechanism or by downloading directly from official sources. The fix commit is publicly available on the Liferay GitHub repository for teams that need to verify the specific change.
Temporary Mitigations While Patching Is Underway
For organizations that cannot immediately apply the patch, two interim controls reduce exposure. Restricting access to the Publications feature for untrusted or low-privilege users limits who can create the injection vector in the first place. Deploying Content Security Policy (CSP) headers reduces the impact of any XSS execution by constraining what injected scripts can do within the browser context, including blocking unauthorized network requests that would be used to exfiltrate session tokens.
Neither mitigation eliminates the vulnerability. Upgrading to a patched release is the only complete remediation.
Secure Coding Practices to Prevent Stored XSS in Enterprise Portals
CVE-2025–43807 reflects a recurring pattern in enterprise portal vulnerabilities: user-generated content that flows from input to display without passing through proper output encoding. The fix is always the same in principle, but consistently difficult to apply at scale across complex platforms with many content rendering paths.
Effective XSS prevention in enterprise applications requires output encoding applied at the point of rendering rather than at input, use of templating frameworks that escape by default rather than requiring developers to remember to encode manually, Content Security Policy headers as a defense-in-depth layer, principle of least privilege applied to features that accept and store user-generated content, regular audits of display paths for user-controlled data, and WAF rules targeting common XSS patterns as an additional detection layer.
As enterprise portals add more collaborative features and user-generated content capabilities, injection vulnerabilities in notification and activity feed systems will continue to appear. CVE-2025–43807 is a concrete reminder that authenticated environments are not inherently safe from XSS, and that the severity of a stored injection flaw is determined not by its CVSS score but by the privilege level of whoever views it next.
Read the full Article: CVE-2025–43807 — Stored Cross-Site Scripting (XSS) Vulnerability in Liferay Portal Explained.