VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Oct 8, 2025· Updated Oct 8, 2025

CVE-2025-43771

CVE-2025-43771

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.flags.webMaven
>= 6.0.23, < 6.0.246.0.24

Affected products

2

Patches

4
28dc724658e1

LPD-15182 SF

https://github.com/liferay/liferay-portalBrian ChanJan 25, 2024via ghsa
commit
1 file changed · +13 17
  • modules/apps/flags/flags-test/src/testIntegration/java/com/liferay/flags/web/internal/notifications/test/FlagsUserNotificationHandlerTest.java+13 17 modified
    @@ -13,6 +13,7 @@
 import com.liferay.message.boards.service.MBMessageLocalServiceUtil;
 import com.liferay.portal.kernel.json.JSONFactoryUtil;
 import com.liferay.portal.kernel.json.JSONObject;
+import com.liferay.portal.kernel.json.JSONUtil;
 import com.liferay.portal.kernel.model.UserNotificationEvent;
 import com.liferay.portal.kernel.notifications.UserNotificationDefinition;
 import com.liferay.portal.kernel.notifications.UserNotificationFeedEntry;
@@ -51,15 +52,16 @@ public class FlagsUserNotificationHandlerTest {
 
 	@Test
 	public void testBodyShouldBeEscaped() throws Exception {
+		UserNotificationEvent userNotificationEvent =
+			new UserNotificationEventImpl();
+
+		String userName = "'\"></option><img src=x onerror=alert(userName)>";
 		long groupId = TestPropsValues.getGroupId();
+		String content = "'\"></option><img src=x onerror=alert(content)>";
 
 		ServiceContext serviceContext =
 			ServiceContextTestUtil.getServiceContext(groupId);
 
-		String userName = "'\"></option><img src=x onerror=alert(userName)>";
-		String content = "'\"></option><img src=x onerror=alert(content)>";
-		String siteName = "'\"></option><img src=x onerror=alert(siteName)>";
-
 		MBMessage mbMessage = MBMessageLocalServiceUtil.addMessage(
 			null, TestPropsValues.getUserId(), userName, groupId,
 			MBCategoryConstants.DEFAULT_PARENT_CATEGORY_ID, 0L,
@@ -70,13 +72,10 @@ public void testBodyShouldBeEscaped() throws Exception {
 
 		MBThread mbThread = mbMessage.getThread();
 
-		UserNotificationEvent userNotificationEvent =
-			new UserNotificationEventImpl();
-
-		JSONObject jsonObject = JSONFactoryUtil.createJSONObject();
+		String siteName = "'\"></option><img src=x onerror=alert(siteName)>";
 
 		userNotificationEvent.setPayload(
-			jsonObject.put(
+			JSONUtil.put(
 				"className", MBThread.class.getName()
 			).put(
 				"classPK", mbThread.getThreadId()
@@ -113,13 +112,15 @@ public void testBodyShouldBeEscaped() throws Exception {
 
 	@Test
 	public void testGetBody() throws Exception {
+		UserNotificationEvent userNotificationEvent =
+			new UserNotificationEventImpl();
+
 		long groupId = TestPropsValues.getGroupId();
+		String content = "#63;";
 
 		ServiceContext serviceContext =
 			ServiceContextTestUtil.getServiceContext(groupId);
 
-		String content = "#63;";
-
 		MBMessage mbMessage = MBMessageLocalServiceUtil.addMessage(
 			null, TestPropsValues.getUserId(), StringUtil.randomString(),
 			groupId, MBCategoryConstants.DEFAULT_PARENT_CATEGORY_ID, 0L,
@@ -130,13 +131,8 @@ public void testGetBody() throws Exception {
 
 		MBThread mbThread = mbMessage.getThread();
 
-		UserNotificationEvent userNotificationEvent =
-			new UserNotificationEventImpl();
-
-		JSONObject jsonObject = JSONFactoryUtil.createJSONObject();
-
 		userNotificationEvent.setPayload(
-			jsonObject.put(
+			JSONUtil.put(
 				"className", MBThread.class.getName()
 			).put(
 				"classPK", mbThread.getThreadId()
cca5fe50a5b6

LPD-15182 use the escaped value

https://github.com/liferay/liferay-portalAlicia GarcíaJan 23, 2024via ghsa
commit
1 file changed · +1 1
  • modules/apps/asset/asset-publisher-web/src/main/java/com/liferay/asset/publisher/web/internal/notifications/AssetPublisherUserNotificationHandler.java+1 1 modified
    @@ -58,7 +58,7 @@ protected String getBodyContent(JSONObject jsonObject) {
 		JSONObject assetEntriesJSONObject = contextJSONObject.getJSONObject(
 			"[$ASSET_ENTRIES$]");
 
-		return assetEntriesJSONObject.getString("originalValue");
+		return assetEntriesJSONObject.getString("escapedValue");
 	}
 
 	protected String getTitle(
0f1f6b628d40

LPD-15182 rename method

https://github.com/liferay/liferay-portalAlicia GarcíaJan 23, 2024via ghsa
commit
1 file changed · +7 7
  • modules/apps/flags/flags-web/src/main/java/com/liferay/flags/web/internal/notifications/FlagsUserNotificationHandler.java+7 7 modified
    @@ -49,22 +49,22 @@ protected String getBody(
 					serviceContext.getLocale(),
 					"a-x-named-x-was-flagged-as-x-by-x",
 					new String[] {
-						_getOriginalValue(
+						_getEscapedValue(
 							contextJSONObject.getJSONObject(
 								"[$CONTENT_TYPE$]")),
-						_getOriginalValue(
+						_getEscapedValue(
 							contextJSONObject.getJSONObject(
 								"[$CONTENT_TITLE$]")),
-						_getOriginalValue(
+						_getEscapedValue(
 							contextJSONObject.getJSONObject("[$REASON|uri$]")),
-						_getOriginalValue(
+						_getEscapedValue(
 							contextJSONObject.getJSONObject(
 								"[$REPORTER_USER_NAME$]"))
 					}),
 				_language.format(
 					serviceContext.getLocale(),
 					"inappropriate-content-flagged-in-x",
-					_getOriginalValue(
+					_getEscapedValue(
 						contextJSONObject.getJSONObject("[$SITE_NAME$]")))
 			});
 	}
@@ -80,11 +80,11 @@ protected String getLink(
 
 		JSONObject contextJSONObject = jsonObject.getJSONObject("context");
 
-		return _getOriginalValue(
+		return _getEscapedValue(
 			contextJSONObject.getJSONObject("[$CONTENT_URL$]"));
 	}
 
-	private String _getOriginalValue(JSONObject jsonObject) {
+	private String _getEscapedValue(JSONObject jsonObject) {
 		return jsonObject.getString("escapedValue");
 	}
90b677d7ca74

LPD-15182 use the escaped value

https://github.com/liferay/liferay-portalAlicia GarcíaJan 23, 2024via ghsa
commit
1 file changed · +1 1
  • modules/apps/flags/flags-web/src/main/java/com/liferay/flags/web/internal/notifications/FlagsUserNotificationHandler.java+1 1 modified
    @@ -85,7 +85,7 @@ protected String getLink(
 	}
 
 	private String _getOriginalValue(JSONObject jsonObject) {
-		return jsonObject.getString("originalValue");
+		return jsonObject.getString("escapedValue");
 	}
 
 	@Reference

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.