Home

Description

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.

PUBLISHED Reserved 2025-04-17 | Published 2025-09-15 | Updated 2025-09-16 | Assigner Liferay




LOW: 2.1CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-304: Missing Critical Step in Authentication

Product status

Default status
unaffected

7.3.10 (maven)
affected

7.4.13 (maven)
affected

2023.Q3.1 (maven)
affected

2023.Q4.0 (maven)
affected

References

liferay.dev/...-/asset_publisher/jekt/content/CVE-2025-43798

cve.org (CVE-2025-43798)

nvd.nist.gov (CVE-2025-43798)

Download JSON