CVE-2025-43805 — Missing Authorization in Digital Experience Platform

CWE-862 — Missing Authorization4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 81.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 16

Latest updateSep 17

Description

Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 does not perform an authorization check when users attempt to view a display page template, which allows remote attackers to view display page templates via crafted URLs.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.3.0 — 7.4.3.112

▶CVEListV5liferay/portal7.3.0 — 7.4.3.111

▶NVDliferay/digital_experience_platform2023.Q3.0 — 2023.Q3.5+2

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+3

🔴Vulnerability Details

OSV

Liferay Portal allows remote attackers to view display page templates via crafted URLs↗2025-09-17

▶

GHSA

Liferay Portal allows remote attackers to view display page templates via crafted URLs↗2025-09-17

▶

CVEList

CVE-2025-43805: Liferay Portal 7↗2025-09-16

▶