CVE-2025-43771: Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields
N/A
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay:com.liferay.flags.web | maven | >= 6.0.23, < 6.0.24 | 6.0.24 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability lies in several notification handler classes within Liferay Portal. The core of the issue is the use of unescaped data when constructing notification messages. The patches consistently show a shift from retrieving an originalValue to an escapedValue from the JSON data that makes up the notification content.
The analysis of the provided commits reveals the following:
-
com.liferay.flags.web.internal.notifications.FlagsUserNotificationHandler: Both thegetBodyandgetLinkmethods were vulnerable. They were using a helper method_getOriginalValuewhich, as the name implies and the patch confirms, was fetching raw, unescaped data. This data, originating from user-provided fields like names or flagged content reasons, could contain malicious scripts. The fix involved renaming_getOriginalValueto_getEscapedValueand ensuring it fetches pre-escaped data from the JSON payload. -
com.liferay.asset.publisher.web.internal.notifications.AssetPublisherUserNotificationHandler: ThegetBodyContentmethod in this class was also found to be vulnerable. Similar to the previous case, it was retrieving theoriginalValuefrom a JSON object, which was then rendered without proper escaping. The fix was to switch to using theescapedValue.
The test file changes in commit 28dc724658e13acb80f30fb3211d0849592ec4ef further confirm the nature of the vulnerability by adding specific test cases for XSS payloads in user names and other content, ensuring they are properly escaped in the final output.
An engineer seeing this CVE in their environment should understand that any user-generated content that can trigger a notification via the Flags or Asset Publisher widgets could be a vector for this XSS attack. The identified functions are the points where this malicious input is processed and rendered, making them the key indicators of exploitation in a runtime profile.
Vulnerable functions
com.liferay.flags.web.internal.notifications.FlagsUserNotificationHandler.getBodymodules/apps/flags/flags-web/src/main/java/com/liferay/flags/web/internal/notifications/FlagsUserNotificationHandler.java
com.liferay.flags.web.internal.notifications.FlagsUserNotificationHandler.getLinkmodules/apps/flags/flags-web/src/main/java/com/liferay/flags/web/internal/notifications/FlagsUserNotificationHandler.java
com.liferay.asset.publisher.web.internal.notifications.AssetPublisherUserNotificationHandler.getBodyContentmodules/apps/asset/asset-publisher-web/src/main/java/com/liferay/asset/publisher/web/internal/notifications/AssetPublisherUserNotificationHandler.java