CVE-2025-43821: Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field
N/A
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay.commerce:com.liferay.commerce.product.service | maven | >= 6.0.5, < 6.0.134 | 6.0.134 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is a stored Cross-Site Scripting (XSS) issue originating from the 'Name' field of a Commerce Product. The provided patch addresses this by introducing sanitization for several fields of the CPDefinitionLocalization model, which stores localized product details like the name.
The analysis of the patch commit 433f82c03fac10167f1f811efb482d6010bac6db reveals two key changes:
- Configuration Change (
portlet-model-hints.xml): The core of the fix lies in this file, where<sanitize content-type="text/html" modes="ALL" />is added to thename,shortDescription,metaTitle,metaDescription, andmetaKeywordsfields for thecom.liferay.commerce.product.model.CPDefinitionLocalizationmodel. This instructs the Liferay persistence layer to automatically sanitize these fields upon being saved. - Test Case Addition (
CPDefinitionLocalServiceTest.java): A new integration test,testAvoidMaliciousCodeInCPDefinitionFields, was added to verify the fix. This test directly invokes_cpDefinitionLocalService.updateCPDefinitionLocalizationwith a malicious XSS payload. It then asserts that the values stored in the resultingCPDefinitionLocalizationobject are properly sanitized.
The test case provides clear evidence that updateCPDefinitionLocalization is the function responsible for processing the potentially malicious input. While the function's own source code isn't modified in the patch, it is the entry point for the vulnerable data. The vulnerability existed because this service method would persist the data as-is, and the fix ensures that when this method is called, the underlying model's new sanitization rules are applied. Therefore, com.liferay.commerce.product.service.CPDefinitionLocalService.updateCPDefinitionLocalization is the key function that would appear in a runtime profile during the exploitation of this vulnerability, as it's the one processing and persisting the tainted input.
Vulnerable functions
com.liferay.commerce.product.service.CPDefinitionLocalService.updateCPDefinitionLocalizationmodules/apps/commerce/commerce-product-service/src/main/java/com/liferay/commerce/product/service/impl/CPDefinitionLocalServiceImpl.java