CVE-2025-43808 – Liferay Portal Commerce Virtual Product Information Disclosure

CVE ID : CVE-2025-43808

Published : Sept. 19, 2025, 8:37 p.m. | 27 minutes ago

Description : The Commerce component in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.

Severity: 6.9 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…