CVE-2025-43803

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-09-19

Last updated on: 2025-12-16

Assigner: Liferay Inc.

Description

Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to view contact information, including the contact’s name and email address, via the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-09-19

Last Modified

2025-12-16

Generated

2026-06-16

AI Q&A

2025-09-19

EPSS Evaluated

2026-06-15

NVD

CVE-2025-43803

EUVD

EUVD-2025-30244

Affected Vendors & Products

Vendor	Product	Version / Range
liferay	digital_experience_platform	to 7.3 (inc)
liferay	digital_experience_platform	From 2023.Q3.1 (inc) to 2023.Q3.10 (inc)
liferay	digital_experience_platform	From 2023.Q4.0 (inc) to 2023.Q4.7 (exc)
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	7.4
liferay	liferay_portal	From 7.4.0 (inc) to 7.4.3.120 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-639	The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

Executive Summary

CVE-2025-43803 is an Insecure Direct Object Reference (IDOR) vulnerability in the Contacts Center widget of Liferay Portal and Liferay DXP. It allows remote attackers to access contact information, such as the contact's name and email address, by manipulating the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter. This means unauthorized users can view sensitive contact details without proper authorization. [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of contact information, including names and email addresses. Attackers can remotely access this sensitive data without needing any privileges or user interaction, potentially leading to privacy breaches, targeted phishing attacks, or other malicious activities that exploit exposed contact details. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the Contacts Center widget in Liferay Portal or Liferay DXP for suspicious manipulation of the `_com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId` parameter. You can use tools like curl or wget to test if unauthorized access to contact information is possible by sending requests with different entryId values. For example, a command like `curl -i 'http://<liferay-server>/path/to/contactscenter?_com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId=<test_id>'` can be used to check if contact details are exposed without proper authorization. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Liferay Portal or Liferay DXP to a fixed version where the vulnerability is resolved, such as Liferay Portal 7.4.3.120, Liferay DXP 2023.Q4.7, 2024.Q1.1, or 2024.Q2.0. If upgrading is not immediately possible, restrict access to the Contacts Center widget to trusted users only, implement network-level controls to limit exposure, and monitor logs for suspicious access patterns involving the `_com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId` parameter. [1]

Hi! I’m here to help you understand CVE-2025-43803. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-43803

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart