CVE-2025-43809 — Cross-Site Request Forgery in Digital Experience Platform

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 99.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 19

Description

Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allows remote attackers to register a server license via the 'orderUuid' parameter.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.112

▶CVEListV5liferay/portal7.4.0 — 7.4.3.111

▶NVDliferay/digital_experience_platform2023.q3.1 — 2023.q3.9+2

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+2

🔴Vulnerability Details

OSV

Liferay Portal Cross-Site Request Forgery (CSRF) vulnerability↗2025-09-19

▶

GHSA

Liferay Portal Cross-Site Request Forgery (CSRF) vulnerability↗2025-09-19

▶

CVEList

CVE-2025-43809: Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7↗2025-09-19

▶