CVE-2025-43825

CWE-2014 documents4 sources

Severity

4.6MEDIUM

EPSS

0.0%

top 86.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP Liferay Portal +1 more

Timeline

PublishedOct 3

Latest updateOct 4

Description

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that s…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶Mavencom.liferay:com.liferay.portal.template.freemarker7.0.3 — 7.0.60

▶CVEListV5liferay/portal7.4.0 — 7.4.3.132

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.132

▶NVDliferay/digital_experience_platform2024.Q1.1 — 2024.Q1.13+7

▶CVEListV5liferay/dxp2023.Q3.1 — 2023.Q3.10+6

🔴Vulnerability Details

GHSA

Liferay Portal exposes sensitive user data through its Freemarker template↗2025-10-04

▶

OSV

Liferay Portal exposes sensitive user data through its Freemarker template↗2025-10-04

▶

CVEList

CVE-2025-43825: A vulnerability in Liferay Portal 7↗2025-10-03

▶