CVE-2025-43792 — External Control of System or Configuration Setting in Digital Experience Platform

CWE-15 — External Control of System or Configuration Setting4 documents4 sources

Severity

2.3LOWNVD

EPSS

0.0%

top 85.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 15

Description

Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly obtain the remote address of the live site from the database which, which allows remote authenticated users to exfiltrate data to an attacker controlled server (i.e., a fake “live site”) via the _com_liferay_exportimport_web_portlet_ExportImportPortlet_…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal< 7.4.3.106

▶CVEListV5liferay/portal7.4.0 — 7.4.3.105

▶NVDliferay/digital_experience_platform2023.q3.1 — 2023.q3.5+4

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+3

🔴Vulnerability Details

CVEList

CVE-2025-43792: Remote staging in Liferay Portal 7↗2025-09-15

▶

OSV

Liferay Portal has External Control of System or Configuration Settings↗2025-09-15

▶

GHSA

Liferay Portal has External Control of System or Configuration Settings↗2025-09-15

▶