CVE-2025-43748
BaseFortify
Publication date: 2025-08-20
Last updated on: 2025-12-16
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 7.0 (inc) to 7.4 (inc) |
| liferay | digital_experience_platform | From 2023.Q3.1 (inc) to 2023.Q3.9 (inc) |
| liferay | digital_experience_platform | From 2023.Q4.0 (inc) to 2023.Q4.9 (inc) |
| liferay | digital_experience_platform | From 2024.Q1.1 (inc) to 2024.Q1.7 (exc) |
| liferay | liferay_portal | From 7.0.0 (inc) to 7.4.3.120 (exc) |
| liferay | liferay_portal | 6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an insufficient Cross-Site Request Forgery (CSRF) protection issue affecting omni-administrator users in various versions of Liferay Portal and Liferay DXP. It allows attackers to execute CSRF attacks, potentially making unauthorized requests on behalf of an authenticated administrator.
How can this vulnerability impact me? :
The vulnerability can allow attackers to perform unauthorized actions with the privileges of an omni-administrator user, potentially leading to unauthorized changes, data manipulation, or other malicious activities within the affected Liferay Portal or DXP environments.