CVE-2025-43792

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.105 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP version 2023.Q4.0 Liferay Portal versions 7.4 GA through update 92

Description The application does not properly obtain the remote address of the live site from the database. This allows remote authenticated users to exfiltrate data to an attacker-controlled server via the com liferay exportimport web portlet ExportImportPortlet remoteAddress and com liferay exportimport web portlet ExportImportPortlet remotePort parameters. Successful exploitation requires the attacker to obtain the staging server’s shared secret and add the attacker-controlled server to the staging server’s whitelist.

Recommendations Liferay Portal versions 7.3 GA through update 35: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay Portal versions 7.4.0 through 7.4.3.105: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay DXP versions 2023.Q3.1 through 2023.Q3.4: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay DXP version 2023.Q4.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay Portal versions 7.4 GA through update 92: At the moment, there is no information about a newer version that contains a fix for this vulnerability.