CVE-2025-43777
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-12-12
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2024.q1.1 (inc) to 2024.q1.20 (exc) |
| liferay | digital_experience_platform | From 2024.q2.0 (inc) to 2024.q2.13 (inc) |
| liferay | digital_experience_platform | From 2024.Q3.0 (inc) to 2024.Q3.13 (inc) |
| liferay | digital_experience_platform | From 2024.q4.0 (inc) to 2024.q4.7 (inc) |
| liferay | digital_experience_platform | From 2025.Q1.0 (inc) to 2025.Q1.17 (exc) |
| liferay | digital_experience_platform | From 2025.Q2.0 (inc) to 2025.Q2.10 (exc) |
| liferay | liferay_portal | From 7.4.0 (inc) to 7.4.3.132 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Liferay Portal and Liferay DXP causes an "Internal Server Error" message to be exposed in the response body when a login attempt is made using a deleted Client Secret. It affects multiple versions and allows an attacker to see this error message during such login attempts. [1]
How can this vulnerability impact me? :
The vulnerability may reveal internal server error messages to an attacker during login attempts with deleted Client Secrets. While the impact on confidentiality and integrity is low, this exposure could aid attackers in understanding the system's behavior or configuration, potentially assisting further attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring login attempts that result in an "Internal Server Error" response when a deleted Client Secret is used. You can test this by attempting a login with a known deleted or invalid Client Secret and observing the response body for the error message. Specific commands are not provided in the resources, but using tools like curl or Postman to simulate login requests with deleted Client Secrets and checking for the error in the response body can help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading to the fixed versions of Liferay Portal or Liferay DXP. The vulnerability has been fixed in Liferay Portal master branch and in Liferay DXP versions 2024.Q1.20, 2025.Q1.17, and 2025.Q2.10. Applying these updates will resolve the issue. [1]