N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-43821

GHSA ID

GHSA-fjrp-77f3-43xj

EPSS Score

0.36234%

CWE

CWE-79

Published

10/8/2025

Updated

10/9/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43821

CVE-2025-43821: Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field

Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-43821

CVE-2025-43821:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-43821

GHSA ID

GHSA-fjrp-77f3-43xj

EPSS Score

0.36234%

CWE

CWE-79

Published

10/8/2025

Updated

10/9/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.commerce:com.liferay.commerce.product.service	maven	>= 6.0.5, < 6.0.134	6.0.134

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue originating from the 'Name' field of a Commerce Product. The provided patch addresses this by introducing sanitization for several fields of the CPDefinitionLocalization model, which stores localized product details like the name.

The analysis of the patch commit 433f82c03fac10167f1f811efb482d6010bac6db reveals two key changes:

Configuration Change (portlet-model-hints.xml): The core of the fix lies in this file, where <sanitize content-type="text/html" modes="ALL" /> is added to the name, shortDescription, metaTitle, metaDescription, and metaKeywords fields for the com.liferay.commerce.product.model.CPDefinitionLocalization model. This instructs the Liferay persistence layer to automatically sanitize these fields upon being saved.
Test Case Addition (CPDefinitionLocalServiceTest.java): A new integration test, testAvoidMaliciousCodeInCPDefinitionFields, was added to verify the fix. This test directly invokes _cpDefinitionLocalService.updateCPDefinitionLocalization with a malicious XSS payload. It then asserts that the values stored in the resulting CPDefinitionLocalization object are properly sanitized.

The test case provides clear evidence that updateCPDefinitionLocalization is the function responsible for processing the potentially malicious input. While the function's own source code isn't modified in the patch, it is the entry point for the vulnerable data. The vulnerability existed because this service method would persist the data as-is, and the fix ensures that when this method is called, the underlying model's new sanitization rules are applied. Therefore, com.liferay.commerce.product.service.CPDefinitionLocalService.updateCPDefinitionLocalization is the key function that would appear in a runtime profile during the exploitation of this vulnerability, as it's the one processing and persisting the tainted input.

Vulnerable functions

com.liferay.commerce.product.service.CPDefinitionLocalService.updateCPDefinitionLocalization

modules/apps/commerce/commerce-product-service/src/main/java/com/liferay/commerce/product/service/impl/CPDefinitionLocalServiceImpl.java

This function is responsible for creating or updating localized product definitions, including the product's name. Before the patch, this function would save the raw input for fields like `name` and `shortDescription` without proper sanitization. An attacker could provide a malicious payload (e.g., JavaScript) in these fields. When the product information was later displayed in components like the 'Commerce Product Comparison Table widget', the malicious script would execute in the user's browser, leading to a stored Cross-Site Scripting (XSS) vulnerability. The patch mitigates this by adding a sanitization rule at the model level, ensuring that any HTML/script content provided to this function is neutralized before being stored.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-43821: Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field

CVE-2025-43821:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-43821: Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field

Technical Details

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI