CVE-2025-43819Insufficient Session Expiration in Digital Experience Platform

CWE-613Insufficient Session ExpirationCWE-476NULL Pointer Dereference5 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 86.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay Digital Experience PlatformLiferay PortalLiferay DXP+1 more
Timeline
PublishedSep 24

Description

A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

NVDliferay/liferay_portal7.4.3.1217.4.3.132
CVEListV5liferay/portal7.4.3.1217.4.3.131
NVDliferay/digital_experience_platform2024.Q1.12024.Q1.13+4
CVEListV5liferay/dxp2024.Q1.12024.Q1.12+3

🔴Vulnerability Details

3
OSV
Liferay Portal and DXP does not properly expire sessions2025-09-24
CVEList
CVE-2025-43819: A Insufficient Session Expiration vulnerability in the Liferay Portal 72025-09-24
GHSA
Liferay Portal and DXP does not properly expire sessions2025-09-24

📋Vendor Advisories

1
Microsoft
kvm: s390: Reject memory region operations for ucontrol VMs2024-08-13
CVE-2025-43819 — Insufficient Session Expiration | cvebase