CVE-2025-43798 — Missing Critical Step in Authentication in Digital Experience Platform

CWE-304 — Missing Critical Step in Authentication CWE-22 — Path Traversal5 documents5 sources

Severity

2.1LOWNVD

CISA7.5

EPSS

0.0%

top 91.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP

Timeline

PublishedSep 15

Latest updateOct 9

Description

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDliferay/digital_experience_platform2023.q3.1 — 2023.q3.5+3

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+3

🔴Vulnerability Details

GHSA

Liferay DXP Missing Critical Step in Authentication↗2025-09-15

▶

CVEList

CVE-2025-43798: Liferay DXP 2023↗2025-09-15

▶

OSV

Liferay DXP Missing Critical Step in Authentication↗2025-09-15

▶

📋Vendor Advisories

CISA

Grafana Path Traversal Vulnerability↗2025-10-09

▶