CVE-2025-43751 — Observable Discrepancy in Digital Experience Platform

CWE-203 — Observable Discrepancy4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 82.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP Liferay Portal +1 more

Timeline

PublishedAug 22

Description

User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exist in the application via the create account page.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5liferay/portal7.4.0 — 7.4.3.132

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.132

▶NVDliferay/digital_experience_platform2024.Q1.11 — 2024.Q1.15+6

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+6

🔴Vulnerability Details

OSV

Liferay Portal User Enumeration Vulnerability via the Create Account Page↗2025-08-22

▶

GHSA

Liferay Portal User Enumeration Vulnerability via the Create Account Page↗2025-08-22

▶

CVEList

CVE-2025-43751: User enumeration vulnerability in Liferay Portal 7↗2025-08-22

▶