CVE-2025-43771: Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields

The vulnerability lies in several notification handler classes within Liferay Portal. The core of the issue is the use of unescaped data when constructing notification messages. The patches consistently show a shift from retrieving an originalValue to an escapedValue from the JSON data that makes up the notification content.

The analysis of the provided commits reveals the following:

1. com.liferay.flags.web.internal.notifications.FlagsUserNotificationHandler: Both the getBody and getLink methods were vulnerable. They were using a helper method _getOriginalValue which, as the name implies and the patch confirms, was fetching raw, unescaped data. This data, originating from user-provided fields like names or flagged content reasons, could contain malicious scripts. The fix involved renaming _getOriginalValue to _getEscapedValue and ensuring it fetches pre-escaped data from the JSON payload.

2. com.liferay.asset.publisher.web.internal.notifications.AssetPublisherUserNotificationHandler: The getBodyContent method in this class was also found to be vulnerable. Similar to the previous case, it was retrieving the originalValue from a JSON object, which was then rendered without proper escaping. The fix was to switch to using the escapedValue.

The test file changes in commit 28dc724658e13acb80f30fb3211d0849592ec4ef further confirm the nature of the vulnerability by adding specific test cases for XSS payloads in user names and other content, ensuring they are properly escaped in the final output.

An engineer seeing this CVE in their environment should understand that any user-generated content that can trigger a notification via the Flags or Asset Publisher widgets could be a vector for this XSS attack. The identified functions are the points where this malicious input is processed and rendered, making them the key indicators of exploitation in a runtime profile.