CVE-2025-43819
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-12-15
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2024.Q1.1 (inc) to 2024.Q1.13 (exc) |
| liferay | digital_experience_platform | From 2024.q2.0 (inc) to 2024.q2.13 (inc) |
| liferay | digital_experience_platform | From 2024.q3.1 (inc) to 2024.q3.13 (inc) |
| liferay | digital_experience_platform | From 2024.Q4.0 (inc) to 2024.Q4.4 (exc) |
| liferay | digital_experience_platform | 7.4 |
| liferay | liferay_portal | From 7.4.3.121 (inc) to 7.4.3.132 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insufficient Session Expiration issue in certain versions of Liferay Portal and Liferay DXP. It allows a remote non-authenticated attacker to reuse an old user session by exploiting the Single Logout (SLO) API, meaning that sessions are not properly invalidated or expired, enabling unauthorized access.
How can this vulnerability impact me? :
The vulnerability can allow attackers to reuse old user sessions without authentication, potentially leading to unauthorized access to user accounts or sensitive information. This can compromise the security of the affected system and its users.