CVE-2025-43754Observable Timing Discrepancy in Digital Experience Platform

CWE-208Observable Timing Discrepancy4 documents4 sources
Severity
6.9MEDIUMNVD
EPSS
0.0%
top 86.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay Digital Experience PlatformLiferay DXPLiferay Portal+1 more
Timeline
PublishedAug 21

Description

Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time of the login request.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

CVEListV5liferay/portal7.4.07.4.3.132
NVDliferay/liferay_portal7.4.07.4.3.132
NVDliferay/digital_experience_platform2024.Q1.12024.Q1.15+4
CVEListV5liferay/dxp7.4.137.4.13-u92+4

🔴Vulnerability Details

3
GHSA
Liferay Portal Username Enumeration Vulnerability2025-08-21
OSV
Liferay Portal Username Enumeration Vulnerability2025-08-21
CVEList
CVE-2025-43754: Username enumeration vulnerability in Liferay Portal 72025-08-21
CVE-2025-43754 — Observable Timing Discrepancy | cvebase