CVE-2025-43793 — Improper Validation of Specified Quantity in Input in Digital Experience Platform

CWE-1284 — Improper Validation of Specified Quantity in Input4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 80.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 15

Description

Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read cookies set by the application.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal< 7.4.3.106

▶CVEListV5liferay/portal7.4.0 — 7.4.3.105

▶NVDliferay/digital_experience_platform2023.q3.1 — 2023.q3.5+4

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+3

🔴Vulnerability Details

GHSA

Liferay Portal has Improper Validation of Specified Quantity in Input↗2025-09-15

▶

CVEList

CVE-2025-43793: Liferay Portal 7↗2025-09-15

▶

OSV

Liferay Portal has Improper Validation of Specified Quantity in Input↗2025-09-15

▶