VYPR
← All advisories
Low severityNVD Advisory· Published Aug 21, 2025· Updated Aug 22, 2025

CVE-2025-43753

CVE-2025-43753

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.layout.taglibMaven
< 16.1.3216.1.32

Affected products

2

Patches

5
0a82d906b348

LPD-52923 SF

https://github.com/liferay/liferay-portalBrian ChanApr 11, 2025via ghsa
commit
1 file changed · +4 9
  • modules/apps/layout/layout-test/src/testIntegration/java/com/liferay/layout/taglib/test/RenderLayoutStructureTagTest.java+4 9 modified
    @@ -3028,16 +3028,11 @@ private void _testRenderFormWithSuccessMessage(
 
 		String content = mockHttpServletResponse.getContentAsString();
 
-		String formStartHTML = "<form action=\"";
-
-		Assert.assertFalse(content.contains(formStartHTML));
-
+		Assert.assertFalse(
+			content.contains("<form action=\""));
+		Assert.assertFalse(
+			content.contains("<p>InputName:" + infoField.getName() + "</p>"));
 		Assert.assertTrue(content, content.contains(expectedSuccessHTML));
-
-		String expectedInfoFieldInput =
-			"<p>InputName:" + infoField.getName() + "</p>";
-
-		Assert.assertFalse(content.contains(expectedInfoFieldInput));
 	}
 
 	private void _testRenderLayoutWithLocale(
d835c7331e38

LPD-52923 Add asserts for this use case

https://github.com/liferay/liferay-portalLourdes Fernández BesadaApr 10, 2025via ghsa
commit
1 file changed · +38 0
  • modules/apps/layout/layout-test/src/testIntegration/java/com/liferay/layout/taglib/test/RenderLayoutStructureTagTest.java+38 0 modified
    @@ -1920,6 +1920,44 @@ public void testRenderFormWithSuccessMessage() throws Exception {
 							"received"),
 					"</div>"),
 				formItemId, infoField, layout);
+
+			Layout draftLayout = layout.fetchDraftLayout();
+
+			long segmentsExperienceId =
+				_segmentsExperienceLocalService.
+					fetchDefaultSegmentsExperienceId(draftLayout.getPlid());
+
+			LayoutStructure layoutStructure =
+				_layoutStructureProvider.getLayoutStructure(
+					draftLayout.getPlid(), segmentsExperienceId);
+
+			List<FormStyledLayoutStructureItem> formStyledLayoutStructureItems =
+				layoutStructure.getFormStyledLayoutStructureItems();
+
+			FormStyledLayoutStructureItem formStyledLayoutStructureItem =
+				formStyledLayoutStructureItems.get(0);
+
+			String message =
+				"<script>alert('" + RandomTestUtil.randomString() +
+					"')</script>";
+
+			formStyledLayoutStructureItem.setSuccessMessageJSONObject(
+				JSONUtil.put(
+					"message",
+					JSONUtil.put(LocaleUtil.toLanguageId(locale), message)
+				).put(
+					"type", "embedded"
+				));
+
+			_layoutPageTemplateStructureLocalService.
+				updateLayoutPageTemplateStructureData(
+					_group.getGroupId(), draftLayout.getPlid(),
+					segmentsExperienceId, layoutStructure.toString());
+
+			ContentLayoutTestUtil.publishLayout(draftLayout, layout);
+
+			_testRenderFormWithSuccessMessage(
+				HtmlUtil.escape(message), formItemId, infoField, layout);
 		}
 	}
0b6a777f9d11

LPD-52923 Extract to reuse

https://github.com/liferay/liferay-portalLourdes Fernández BesadaApr 10, 2025via ghsa
commit
1 file changed · +37 29
  • modules/apps/layout/layout-test/src/testIntegration/java/com/liferay/layout/taglib/test/RenderLayoutStructureTagTest.java+37 29 modified
    @@ -1908,37 +1908,18 @@ public void testRenderFormWithSuccessMessage() throws Exception {
 					_portal.getClassNameId(MockObject.class.getName())),
 				"0", layout, _layoutStructureProvider, infoField);
 
-			MockHttpServletRequest mockHttpServletRequest =
-				_getMockHttpServletRequest(layout);
-
-			SessionMessages.add(mockHttpServletRequest, formItemId);
-
-			MockHttpServletResponse mockHttpServletResponse = _renderLayout(
-				layout, mockHttpServletRequest);
-
-			String content = mockHttpServletResponse.getContentAsString();
-
-			String formStartHTML = "<form action=\"";
-
-			Assert.assertFalse(content.contains(formStartHTML));
-
 			Locale locale = _portal.getSiteDefaultLocale(_group);
 
-			String expectedSuccessMessage = LanguageUtil.get(
-				locale,
-				"thank-you.-your-information-was-successfully-received");
-
-			String expectedSuccessHTML = StringBundler.concat(
-				"<div class=\"bg-white font-weight-semi-bold p-5 text-3 ",
-				"text-center text-secondary\">", expectedSuccessMessage,
-				"</div>");
-
-			Assert.assertTrue(content.contains(expectedSuccessHTML));
-
-			String expectedInfoFieldInput =
-				"<p>InputName:" + infoField.getName() + "</p>";
-
-			Assert.assertFalse(content.contains(expectedInfoFieldInput));
+			_testRenderFormWithSuccessMessage(
+				StringBundler.concat(
+					"<div class=\"bg-white font-weight-semi-bold p-5 text-3 ",
+					"text-center text-secondary\">",
+					LanguageUtil.get(
+						locale,
+						"thank-you.-your-information-was-successfully-" +
+							"received"),
+					"</div>"),
+				formItemId, infoField, layout);
 		}
 	}
 
@@ -2993,6 +2974,33 @@ private void _testPagination(
 		}
 	}
 
+	private void _testRenderFormWithSuccessMessage(
+			String expectedSuccessHTML, String formItemId,
+			InfoField<TextInfoFieldType> infoField, Layout layout)
+		throws Exception {
+
+		MockHttpServletRequest mockHttpServletRequest =
+			_getMockHttpServletRequest(layout);
+
+		SessionMessages.add(mockHttpServletRequest, formItemId);
+
+		MockHttpServletResponse mockHttpServletResponse = _renderLayout(
+			layout, mockHttpServletRequest);
+
+		String content = mockHttpServletResponse.getContentAsString();
+
+		String formStartHTML = "<form action=\"";
+
+		Assert.assertFalse(content.contains(formStartHTML));
+
+		Assert.assertTrue(content, content.contains(expectedSuccessHTML));
+
+		String expectedInfoFieldInput =
+			"<p>InputName:" + infoField.getName() + "</p>";
+
+		Assert.assertFalse(content.contains(expectedInfoFieldInput));
+	}
+
 	private void _testRenderLayoutWithLocale(
 			Layout layout, Locale locale, String... strings)
 		throws Exception {
a2cf59ffd649

LPD-52923 Add the test info annotation

https://github.com/liferay/liferay-portalLourdes Fernández BesadaApr 10, 2025via ghsa
commit
1 file changed · +1 0
  • modules/apps/layout/layout-test/src/testIntegration/java/com/liferay/layout/taglib/test/RenderLayoutStructureTagTest.java+1 0 modified
    @@ -1888,6 +1888,7 @@ public void testRenderFormWithoutErrors() throws Exception {
 	}
 
 	@Test
+	@TestInfo("LPD-52923")
 	public void testRenderFormWithSuccessMessage() throws Exception {
 		InfoField<TextInfoFieldType> infoField = _getInfoField(false);
6ebe92600877

LPD-52923 Escape user input success message

https://github.com/liferay/liferay-portalLourdes Fernández BesadaApr 10, 2025via ghsa
commit
1 file changed · +5 4
  • modules/apps/layout/layout-taglib/src/main/java/com/liferay/layout/taglib/internal/display/context/RenderLayoutStructureDisplayContext.java+5 4 modified
    @@ -62,6 +62,7 @@
 import com.liferay.portal.kernel.util.Constants;
 import com.liferay.portal.kernel.util.GetterUtil;
 import com.liferay.portal.kernel.util.HashMapBuilder;
+import com.liferay.portal.kernel.util.HtmlUtil;
 import com.liferay.portal.kernel.util.ParamUtil;
 import com.liferay.portal.kernel.util.PortalUtil;
 import com.liferay.portal.kernel.util.SetUtil;
@@ -663,16 +664,16 @@ public String getSuccessMessage(
 			JSONObject messageJSONObject =
 				successMessageJSONObject.getJSONObject("message");
 
-			successMessage = messageJSONObject.getString(
-				_themeDisplay.getLanguageId());
+			successMessage = HtmlUtil.escape(
+				messageJSONObject.getString(_themeDisplay.getLanguageId()));
 
 			if (Validator.isNull(successMessage)) {
 				String siteDefaultLanguageId = LanguageUtil.getLanguageId(
 					PortalUtil.getSiteDefaultLocale(
 						_themeDisplay.getScopeGroupId()));
 
-				successMessage = messageJSONObject.getString(
-					siteDefaultLanguageId);
+				successMessage = HtmlUtil.escape(
+					messageJSONObject.getString(siteDefaultLanguageId));
 			}
 		}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.