CVE-2025-43745 MEDIUM

CVE-2025-43745

Vendor Liferay
Product Portal
Weakness CWE-352 · CSRF
Published August 19, 2025
Last update August 19, 2025
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter.

Key dates

02Disclosure timeline

August 19, 2025 CVE published
August 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-51650 WordPress Random Featured Post plugin <= 1.1.3 - CSRF to Stored Cross Site Scripting (XSS) vulnerability CVE-2024-43192 IBM Storage TS4500 Library cross-site request forgery CVE-2026-8433 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan() CVE-2025-31809 WordPress Labinator Content Types Duplicator Plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-1918 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_callback'