CVE-2025-43793
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-12-16
Assigner: Liferay Inc.
Description
Description
Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read cookies set by the application.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | to 7.3 (exc) |
| liferay | digital_experience_platform | From 2023.q3.1 (inc) to 2023.q3.5 (exc) |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 2023.q4.0 |
| liferay | liferay_portal | to 7.4.3.106 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43793 is a vulnerability in Liferay Portal and Liferay DXP where the software incorrectly identifies the subdomain of a domain name, causing it to create a supercookie. This flaw allows remote attackers who control a website sharing the same top-level domain (TLD) to read cookies set by the affected application, potentially compromising user data. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers who control a website under the same top-level domain to read cookies set by your Liferay application. This can lead to unauthorized access to sensitive user data stored in cookies, compromising confidentiality and potentially leading to further attacks or data breaches. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade affected Liferay Portal and Liferay DXP installations to the fixed versions: Liferay Portal 7.4.3.106 or later, Liferay DXP 2024.Q1.1, 2023.Q4.1, 2023.Q3.5, or 7.3 U36 or later. Applying these updates will prevent the incorrect subdomain identification and supercookie creation that allows remote attackers to read cookies. Additionally, consider monitoring and restricting access to websites sharing the same top-level domain (TLD) to reduce exposure. [1]
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70