Moderate severityNVD Advisory· Published Aug 19, 2025· Updated Aug 19, 2025
CVE-2025-43740
CVE-2025-43740
Description
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.3.120-ga120, <= 7.4.3.132-ga23 | — |
Affected products
2- Liferay/DXPv5Range: 2024.Q1.9
Patches
3c1b7c6b58f50LPD-60037 Change order values
3 files changed · +3 −3
modules/apps/comment/comment-sanitizer/src/main/java/com/liferay/comment/sanitizer/internal/CommentSanitizerImpl.java+1 −1 modified@@ -21,7 +21,7 @@ /** * @author Sergio González */ -@Component(property = "sanitizer.order:Integer=1", service = Sanitizer.class) +@Component(property = "sanitizer.order:Integer=20", service = Sanitizer.class) public class CommentSanitizerImpl implements Sanitizer { public CommentSanitizerImpl() {
modules/apps/portal-security/portal-security-antisamy/src/main/java/com/liferay/portal/security/antisamy/internal/configuration/admin/service/AntiSamySanitizerPublisherManagedServiceFactory.java+1 −1 modified@@ -115,7 +115,7 @@ protected void activate( HashMapDictionaryBuilder.<String, Object>put( "component.name", AntiSamySanitizerImpl.class.getCanonicalName() ).put( - "sanitizer.order", 2 + "sanitizer.order", 30 ).build()); }
modules/apps/portal-security/portal-security-iframe-sanitizer/src/main/java/com/liferay/portal/security/iframe/sanitizer/internal/IFrameSanitizerImpl.java+1 −1 modified@@ -30,7 +30,7 @@ */ @Component( configurationPid = "com.liferay.portal.security.iframe.sanitizer.configuration.IFrameConfiguration", - property = "sanitizer.order:Integer=0", service = Sanitizer.class + property = "sanitizer.order:Integer=10", service = Sanitizer.class ) public class IFrameSanitizerImpl implements Sanitizer {
32821b41f7f6LPD-60037 Sort sanitizers: since iFrameSanitizer unescapes the content to perform its sanitization, make it the first sanitizer to run so it doesn't affect the other sanitizers outputs.
4 files changed · +13 −7
modules/apps/comment/comment-sanitizer/src/main/java/com/liferay/comment/sanitizer/internal/CommentSanitizerImpl.java+1 −1 modified@@ -21,7 +21,7 @@ /** * @author Sergio González */ -@Component(service = Sanitizer.class) +@Component(property = "sanitizer.order:Integer=1", service = Sanitizer.class) public class CommentSanitizerImpl implements Sanitizer { public CommentSanitizerImpl() {
modules/apps/portal-security/portal-security-antisamy/src/main/java/com/liferay/portal/security/antisamy/internal/configuration/admin/service/AntiSamySanitizerPublisherManagedServiceFactory.java+6 −4 modified@@ -7,7 +7,7 @@ import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil; import com.liferay.portal.kernel.sanitizer.Sanitizer; -import com.liferay.portal.kernel.util.MapUtil; +import com.liferay.portal.kernel.util.HashMapDictionaryBuilder; import com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration; import com.liferay.portal.security.antisamy.configuration.AntiSamyConfiguration; import com.liferay.portal.security.antisamy.internal.AntiSamySanitizerImpl; @@ -112,9 +112,11 @@ protected void activate( _sanitizerServiceRegistration = bundleContext.registerService( Sanitizer.class, _antiSamySanitizerImpl, - MapUtil.singletonDictionary( - "component.name", - AntiSamySanitizerImpl.class.getCanonicalName())); + HashMapDictionaryBuilder.<String, Object>put( + "component.name", AntiSamySanitizerImpl.class.getCanonicalName() + ).put( + "sanitizer.order", 2 + ).build()); } @Deactivate
modules/apps/portal-security/portal-security-iframe-sanitizer/src/main/java/com/liferay/portal/security/iframe/sanitizer/internal/IFrameSanitizerImpl.java+1 −1 modified@@ -30,7 +30,7 @@ */ @Component( configurationPid = "com.liferay.portal.security.iframe.sanitizer.configuration.IFrameConfiguration", - service = Sanitizer.class + property = "sanitizer.order:Integer=0", service = Sanitizer.class ) public class IFrameSanitizerImpl implements Sanitizer {
portal-kernel/src/com/liferay/portal/kernel/sanitizer/SanitizerUtil.java+5 −1 modified@@ -7,8 +7,10 @@ import com.liferay.osgi.service.tracker.collections.list.ServiceTrackerList; import com.liferay.osgi.service.tracker.collections.list.ServiceTrackerListFactory; +import com.liferay.osgi.service.tracker.collections.map.PropertyServiceReferenceComparator; import com.liferay.portal.kernel.module.util.SystemBundleUtil; +import java.util.Collections; import java.util.Map; /** @@ -55,6 +57,8 @@ public static String sanitize( private static final ServiceTrackerList<Sanitizer> _sanitizers = ServiceTrackerListFactory.open( - SystemBundleUtil.getBundleContext(), Sanitizer.class); + SystemBundleUtil.getBundleContext(), Sanitizer.class, + Collections.reverseOrder( + new PropertyServiceReferenceComparator<>("sanitizer.order"))); } \ No newline at end of file
51e21fa8b3e8LPD-60037 Add test
4 files changed · +93 −0
modules/apps/sanitizer/sanitizer-test/bnd.bnd+3 −0 added@@ -0,0 +1,3 @@ +Bundle-Name: Liferay Sanitizer Test +Bundle-SymbolicName: com.liferay.sanitizer.test +Bundle-Version: 1.0.0 \ No newline at end of file
modules/apps/sanitizer/sanitizer-test/build.gradle+7 −0 added@@ -0,0 +1,7 @@ +dependencies { + testIntegrationImplementation group: "com.liferay.jakarta.portlet", name: "com.liferay.jakarta.portlet-api", version: "4.0.0" + testIntegrationImplementation group: "com.liferay.portal", name: "com.liferay.portal.impl", version: "default" + testIntegrationImplementation project(":apps:blogs:blogs-api") + testIntegrationImplementation project(":apps:journal:journal-api") + testIntegrationImplementation project(":test:arquillian-extension-junit-bridge") +} \ No newline at end of file
modules/apps/sanitizer/sanitizer-test/src/testIntegration/java/com/liferay/sanitizer/test/SanitizerUtilTest.java+66 −0 added@@ -0,0 +1,66 @@ +/** + * SPDX-FileCopyrightText: (c) 2025 Liferay, Inc. https://liferay.com + * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06 + */ + +package com.liferay.sanitizer.test; + +import com.liferay.arquillian.extension.junit.bridge.junit.Arquillian; +import com.liferay.blogs.model.BlogsEntry; +import com.liferay.journal.model.JournalArticle; +import com.liferay.portal.kernel.model.User; +import com.liferay.portal.kernel.sanitizer.Sanitizer; +import com.liferay.portal.kernel.sanitizer.SanitizerUtil; +import com.liferay.portal.kernel.test.rule.AggregateTestRule; +import com.liferay.portal.kernel.test.util.RandomTestUtil; +import com.liferay.portal.kernel.test.util.TestPropsValues; +import com.liferay.portal.kernel.util.ContentTypes; +import com.liferay.portal.kernel.util.HashMapBuilder; +import com.liferay.portal.test.rule.LiferayIntegrationTestRule; + +import org.junit.Assert; +import org.junit.ClassRule; +import org.junit.Rule; +import org.junit.Test; +import org.junit.runner.RunWith; + +/** + * @author Manuele Castro + */ +@RunWith(Arquillian.class) +public class SanitizerUtilTest { + + @ClassRule + @Rule + public static final AggregateTestRule aggregateTestRule = + new LiferayIntegrationTestRule(); + + @Test + public void testSanitize() throws Exception { + String string = RandomTestUtil.randomString(); + + Assert.assertEquals( + """ + string + """, + SanitizerUtil.sanitize( + TestPropsValues.getCompanyId(), TestPropsValues.getGroupId(), + TestPropsValues.getUserId(), JournalArticle.class.getName(), 0, + ContentTypes.TEXT_HTML, Sanitizer.MODE_ALL, + "\"" + string + "\"", + HashMapBuilder.<String, Object>put( + "discussion", Boolean.TRUE + ).build())); + Assert.assertEquals( + """ + string + """, + SanitizerUtil.sanitize( + TestPropsValues.getCompanyId(), TestPropsValues.getGroupId(), + TestPropsValues.getUserId(), User.class.getName(), 0, + ContentTypes.TEXT_HTML, "\"" + string + "\"")); + Assert.assertEquals( + "<iframe sandbox=\"\">" + string + "</iframe>", + SanitizerUtil.sanitize( + TestPropsValues.getCompanyId(), TestPropsValues.getGroupId(), + TestPropsValues.getUserId(), BlogsEntry.class.getName(), 0, + ContentTypes.TEXT_HTML, "<iframe>" + string + "</iframe>")); + } + +} \ No newline at end of file
modules/apps/sanitizer/test.properties+17 −0 added@@ -0,0 +1,17 @@ +modified.files.includes[relevant][sanitizer-java-rule]=\ + **/*.java,\ + **/test/**,\ + **/testIntegration/** + +modules.includes.required.test.batch.class.names.includes[modules-integration-postgresql163][relevant][sanitizer-java-rule]=\ + apps/sanitizer/**/*Test.java + +modules.includes.required.test.batch.class.names.includes[modules-unit][relevant][sanitizer-java-rule]=\ + apps/sanitizer/**/*Test.java + +relevant.rule.names=sanitizer-java-rule + +test.batch.names[relevant][sanitizer-java-rule]=\ + modules-integration-postgresql163 + +testray.main.component.name=AntiSamy \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-22jp-w3cg-gvmmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43740ghsaADVISORY
- github.com/liferay/liferay-portal/commit/32821b41f7f62271d1fb9d56c82297cd087780a4ghsaWEB
- github.com/liferay/liferay-portal/commit/51e21fa8b3e8b49ed455caeab192c5bba7e15b6dghsaWEB
- github.com/liferay/liferay-portal/commit/c1b7c6b58f5042072c381fc2664e808ebb745826ghsaWEB
- liferay.atlassian.net/browse/LPE-18276ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43740ghsaWEB
News mentions
0No linked articles in our index yet.