PT-2025-39229 · Liferay · Liferay Portal+1
Published
2025-09-24
·
Updated
2025-12-15
·
CVE-2025-43819
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.4.3.121 through 7.4.3.121
Liferay Portal versions 7.3.3.121 through 7.3.3.131
Liferay DXP versions 2024.Q4.0 through 2024.Q4.3
Liferay DXP versions 2024.Q3.1 through 2024.Q3.13
Liferay DXP versions 2024.Q2.0 through 2024.Q2.13
Liferay DXP versions 2024.Q1.1 through 2024.Q1.12
Description
An insufficient session expiration issue exists in Liferay Portal and DXP. This allows a remote, unauthenticated attacker to reuse existing user sessions through the SLO (Single Logout) API.
Recommendations
Update Liferay Portal to a version after 7.4.3.121.
Update Liferay Portal to a version after 7.3.3.131.
Update Liferay DXP to a version after 2024.Q4.3.
Update Liferay DXP to a version after 2024.Q3.13.
Update Liferay DXP to a version after 2024.Q2.13.
Update Liferay DXP to a version after 2024.Q1.12.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal