Remote Access Vulnerability in Liferay Portal 7.1.0 to 7.4.3.111 and Liferay DXP 2023 Versions
CVE-2025-43797

5.3MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 15 September 2025

What is CVE-2025-43797?

A vulnerability in Liferay Portal and Liferay DXP allows the default membership type of newly created sites to be set as 'Open,' enabling any registered user to become a member. Once a user gains membership, a remote attacker can potentially view, add, or edit site content, creating significant risks for unauthorized information dissemination and data integrity.

Affected Version(s)

DXP 7.3.10 <= 7.3.10-u35

DXP 7.4.13 <= 7.4.13-u92

DXP 2023.Q3.1 <= 2023.Q3.4

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 15, 2025
Vulnerability Reserved
Apr 17, 2025