N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-43771

GHSA ID

GHSA-q8fj-76q7-4p7h

EPSS Score

0.36234%

CWE

CWE-79

Published

10/8/2025

Updated

10/9/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43771

CVE-2025-43771: Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-43771

CVE-2025-43771:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-43771

GHSA ID

GHSA-q8fj-76q7-4p7h

EPSS Score

0.36234%

CWE

CWE-79

Published

10/8/2025

Updated

10/9/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay:com.liferay.flags.web	maven	>= 6.0.23, < 6.0.24	6.0.24

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in several notification handler classes within Liferay Portal. The core of the issue is the use of unescaped data when constructing notification messages. The patches consistently show a shift from retrieving an originalValue to an escapedValue from the JSON data that makes up the notification content.

The analysis of the provided commits reveals the following:

com.liferay.flags.web.internal.notifications.FlagsUserNotificationHandler: Both the getBody and getLink methods were vulnerable. They were using a helper method _getOriginalValue which, as the name implies and the patch confirms, was fetching raw, unescaped data. This data, originating from user-provided fields like names or flagged content reasons, could contain malicious scripts. The fix involved renaming _getOriginalValue to _getEscapedValue and ensuring it fetches pre-escaped data from the JSON payload.
com.liferay.asset.publisher.web.internal.notifications.AssetPublisherUserNotificationHandler: The getBodyContent method in this class was also found to be vulnerable. Similar to the previous case, it was retrieving the originalValue from a JSON object, which was then rendered without proper escaping. The fix was to switch to using the escapedValue.

The test file changes in commit 28dc724658e13acb80f30fb3211d0849592ec4ef further confirm the nature of the vulnerability by adding specific test cases for XSS payloads in user names and other content, ensuring they are properly escaped in the final output.

An engineer seeing this CVE in their environment should understand that any user-generated content that can trigger a notification via the Flags or Asset Publisher widgets could be a vector for this XSS attack. The identified functions are the points where this malicious input is processed and rendered, making them the key indicators of exploitation in a runtime profile.

Vulnerable functions

com.liferay.flags.web.internal.notifications.FlagsUserNotificationHandler.getBody

modules/apps/flags/flags-web/src/main/java/com/liferay/flags/web/internal/notifications/FlagsUserNotificationHandler.java

The `getBody` method was vulnerable to XSS because it used the `_getOriginalValue` method, which retrieved unescaped data from the JSON payload. This unescaped data, which could include user names and other content, was then used to construct the notification body, allowing for the injection of malicious scripts.

com.liferay.flags.web.internal.notifications.FlagsUserNotificationHandler.getLink

modules/apps/flags/flags-web/src/main/java/com/liferay/flags/web/internal/notifications/FlagsUserNotificationHandler.java

The `getLink` method was vulnerable because it used the `_getOriginalValue` method to retrieve the content URL from the JSON payload. If a malicious URL containing script was provided, it would be rendered unescaped, leading to an XSS vulnerability.

com.liferay.asset.publisher.web.internal.notifications.AssetPublisherUserNotificationHandler.getBodyContent

modules/apps/asset/asset-publisher-web/src/main/java/com/liferay/asset/publisher/web/internal/notifications/AssetPublisherUserNotificationHandler.java

The `getBodyContent` method was vulnerable to XSS because it directly returned the `originalValue` from the JSON object, which was not sanitized. This allowed for the injection of arbitrary HTML and script into the notification content.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-43771: Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields

CVE-2025-43771:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2025-43771: Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI