CVE-2025-43808 — Incorrect Permission Assignment in Digital Experience Platform

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 95.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 19

Description

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.113

▶CVEListV5liferay/portal7.3.0 — 7.4.3.112

▶NVDliferay/digital_experience_platform2023.Q4.0 — 2023.Q4.9+3

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u36+3

🔴Vulnerability Details

GHSA

Liferay Portal Commerce component has Incorrect Permission Assignment for Critical Resource↗2025-09-19

▶

OSV

Liferay Portal Commerce component has Incorrect Permission Assignment for Critical Resource↗2025-09-19

▶

CVEList

CVE-2025-43808: The Commerce component in Liferay Portal 7↗2025-09-19

▶