PT-2025-38626 · Liferay · Liferay Portal+1
Foobar7
·
Published
2025-09-19
·
Updated
2025-12-15
·
CVE-2025-43808
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.3.0 through 7.4.3.112
Liferay DXP versions 2023.Q4.0 through 2023.Q4.8
Liferay DXP versions 2023.Q3.1 through 2023.Q3.10
Liferay Portal 7.4 GA through update 92
Liferay Portal 7.3 service pack 3 through update 35
Description
The Commerce component allows remote attackers to access and download virtual products for free via a crafted URL. This occurs because the system saves virtual products uploaded to Documents and Media with guest view permission.
Recommendations
Liferay Portal versions 7.3.0 through 7.4.3.112: Restrict guest access to virtual products in Documents and Media.
Liferay DXP versions 2023.Q4.0 through 2023.Q4.8: Restrict guest access to virtual products in Documents and Media.
Liferay DXP versions 2023.Q3.1 through 2023.Q3.10: Restrict guest access to virtual products in Documents and Media.
Liferay Portal 7.4 GA through update 92: Restrict guest access to virtual products in Documents and Media.
Liferay Portal 7.3 service pack 3 through update 35: Restrict guest access to virtual products in Documents and Media.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal