CVE-2025-43797

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.1.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4 Liferay DXP version 2023.Q4.0 Liferay Portal 7.3 GA through update 35 Liferay Portal 7.4 GA through update 92

Description The default membership type of a newly created site is “Open,” allowing any registered users to become a member. A remote attacker with site membership can potentially view, add, or edit content on the site.

Recommendations For Liferay Portal versions 7.1.0 through 7.4.3.111, ensure the default membership type for new sites is not set to “Open.” For Liferay DXP versions 2023.Q3.1 through 2023.Q3.4, ensure the default membership type for new sites is not set to “Open.” For Liferay DXP version 2023.Q4.0, ensure the default membership type for new sites is not set to “Open.” For Liferay Portal 7.3 GA through update 35, ensure the default membership type for new sites is not set to “Open.” For Liferay Portal 7.4 GA through update 92, ensure the default membership type for new sites is not set to “Open.”