CVE-2025-43808 | THREATINT

Description

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.

PUBLISHED Reserved 2025-04-17 | Published 2025-09-19 | Updated 2025-09-22 | Assigner Liferay

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-732 Incorrect Permission Assignment for Critical Resource

Product status

Default status

unaffected

7.3.0 (maven)

affected

Default status

unaffected

7.3.10 (maven)

affected

7.4.13 (maven)

affected

2023.Q3.1 (maven)

affected

2023.Q4.0 (maven)

affected

Credits

foobar7 reporter

References

liferay.dev/...-/asset_publisher/jekt/content/CVE-2025-43808

cve.org (CVE-2025-43808)

nvd.nist.gov (CVE-2025-43808)

Download JSON