CVE-2025-43825

03.10.2025, 22:15

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Liferay	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Vendor	Product	Version
liferay	digital_experience_platform	2023.Q3.1 ≤ 𝑥 ≤ 2023.Q3.10
liferay	digital_experience_platform	2023.q4.0 ≤ 𝑥 ≤ 2023.q4.10
liferay	digital_experience_platform	2024.Q1.1 ≤ 𝑥 < 2024.Q1.13
liferay	digital_experience_platform	2024.Q2.1 ≤ 𝑥 ≤ 2024.Q2.13
liferay	digital_experience_platform	2024.Q3.0 ≤ 𝑥 ≤ 2024.Q3.13
liferay	digital_experience_platform	2024.Q4.0 ≤ 𝑥 < 2024.Q4.6
liferay	digital_experience_platform	2025.Q1.1 ≤ 𝑥 < 2025.Q1.4
liferay	digital_experience_platform	7.4
liferay	liferay_portal	7.4.0 ≤ 𝑥 ≤ 7.4.3.132

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-201 - Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43825