N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43746

GHSA ID

GHSA-mpww-r37c-vxjw

EPSS Score

0.34573%

CWE

CWE-79

Published

8/20/2025

Updated

8/21/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43746

CVE-2025-43746: Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameter.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43746

GHSA ID

GHSA-mpww-r37c-vxjw

EPSS Score

0.34573%

CWE

CWE-79

Published

8/20/2025

Updated

8/21/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.4.0-ga1, <= 7.4.3.132-ga132

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected cross-site scripting (XSS) issue within the Dynamic Data Mapping module of Liferay Portal. The root cause is the failure to properly sanitize the portletNamespace and namespace request parameters before they are used in the rendered HTML output.

The analysis of the provided commits pinpoints the exact location of the vulnerability and the subsequent fix. Commit 5ca8331da4503ae336818a747e43817066f27b73 clearly shows the addition of HtmlUtil.escapeAttribute to sanitize these parameters within the createDDMFormFieldRenderingContext method of the RenderStructureFieldMVCResourceCommand.java file. This method is responsible for preparing the data that will be used for rendering.

The doServeResource method in the same class is the main handler for the resource request. It calls createDDMFormFieldRenderingContext to get the rendering context and then proceeds to render the HTML, which includes the tainted data. Therefore, doServeResource is the entry point for the exploitation of this vulnerability, and createDDMFormFieldRenderingContext is where the vulnerable data is processed.

An attacker could exploit this by crafting a URL with malicious JavaScript in the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace or _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameters. When a user clicks this link, the script would execute in their browser in the context of the Liferay Portal domain. Both identified functions would be present in the execution stack during such an attack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r**l**t** *ross-sit* s*riptin* (XSS) vuln*r**ility in t** Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou*

Reasoning

T** vuln*r**ility is * r**l**t** *ross-sit* s*riptin* (XSS) issu* wit*in t** *yn*mi* **t* M*ppin* mo*ul* o* Li**r*y Port*l. T** root **us* is t** **ilur* to prop*rly s*nitiz* t** `portl*tN*m*sp***` *n* `n*m*sp***` r*qu*st p*r*m*t*rs ***or* t**y *r* u

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-43746: Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI