CVE-2025-43808

Published: Sep 19, 2025

Modified: Sep 22, 2025

PUBLISHED

Description

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.

Vendor	Product	Versions
Liferay	Portal	affected `7.3.0 - <= 7.4.3.112`
Liferay	DXP	affected `7.3.10 - <= 7.3.10-u36` affected `7.4.13 - <= 7.4.13-u92` affected `2023.Q3.1 - <= 2023.Q3.10` affected `2023.Q4.0 - <= 2023.Q4.8`

Weaknesses (CWE)

CWE-732

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43808

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-43808

Description

Affected Products

Weaknesses (CWE)

References