CVE-2025-43821: Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field

The vulnerability is a stored Cross-Site Scripting (XSS) issue originating from the 'Name' field of a Commerce Product. The provided patch addresses this by introducing sanitization for several fields of the CPDefinitionLocalization model, which stores localized product details like the name.

The analysis of the patch commit 433f82c03fac10167f1f811efb482d6010bac6db reveals two key changes:

1. Configuration Change (portlet-model-hints.xml): The core of the fix lies in this file, where <sanitize content-type="text/html" modes="ALL" /> is added to the name, shortDescription, metaTitle, metaDescription, and metaKeywords fields for the com.liferay.commerce.product.model.CPDefinitionLocalization model. This instructs the Liferay persistence layer to automatically sanitize these fields upon being saved.
2. Test Case Addition (CPDefinitionLocalServiceTest.java): A new integration test, testAvoidMaliciousCodeInCPDefinitionFields, was added to verify the fix. This test directly invokes _cpDefinitionLocalService.updateCPDefinitionLocalization with a malicious XSS payload. It then asserts that the values stored in the resulting CPDefinitionLocalization object are properly sanitized.

The test case provides clear evidence that updateCPDefinitionLocalization is the function responsible for processing the potentially malicious input. While the function's own source code isn't modified in the patch, it is the entry point for the vulnerable data. The vulnerability existed because this service method would persist the data as-is, and the fix ensures that when this method is called, the underlying model's new sanitization rules are applied. Therefore, com.liferay.commerce.product.service.CPDefinitionLocalService.updateCPDefinitionLocalization is the key function that would appear in a runtime profile during the exploitation of this vulnerability, as it's the one processing and persisting the tainted input.