CVE-2025-43798
published 2025-09-15CVE-2025-43798: Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be…
low2.1CVSS 4.0
AVNACHATNPRNUIAVCLVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| liferay | digital_experience_platform | — | — |
| liferay | digital_experience_platform | — | — |
| liferay | digital_experience_platform | — | — |
| liferay | digital_experience_platform | >= 2023.q3.1 < 2023.q3.5 | 2023.q3.5 |
| liferay | dxp | — | — |
| liferay | dxp | 2023.Q3.1 – 2023.Q3.4 | — |
| liferay | dxp | 7.3.10 – 7.3.10-u35 | — |
| liferay | dxp | 7.4.13 – 7.4.13-u92 | — |
CVSS provenance
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cisa7.5HIGH