fkie_cve-2025-43798
Vulnerability from fkie_nvd
Published
2025-09-15 21:15
Modified
2025-12-16 16:36
Severity ?
Summary
Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01AC8CB4-9E89-40E6-B4F6-6F1BB36C855D",
"versionEndExcluding": "2023.q3.5",
"versionStartIncluding": "2023.q3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "135BED68-C2EC-4EE7-9138-91E0EE3608EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*",
"matchCriteriaId": "35F42314-AC3F-45B6-8BF8-49811E5F2FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*",
"matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*",
"matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*",
"matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*",
"matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*",
"matchCriteriaId": "1F8A9DEC-2C27-4EBB-B684-8EBDB374CFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*",
"matchCriteriaId": "C3E7B777-8026-4C8F-9353-B5504873E0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*",
"matchCriteriaId": "2207FEE5-2537-4C6E-AC9C-EC53DBF3C57E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*",
"matchCriteriaId": "087A2B43-07CE-4B3D-B879-449631DDA8D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*",
"matchCriteriaId": "019CED83-6277-434C-839C-6C4E0C45FB1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update2:*:*:*:*:*:*",
"matchCriteriaId": "0ABA624F-C90B-4EAF-91E3-FCEA6997D889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:*",
"matchCriteriaId": "6C533124-74E6-4312-9AF7-6496DE2A5152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update21:*:*:*:*:*:*",
"matchCriteriaId": "8DDA248D-5F00-4FC1-B857-A7942BAA1F3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update22:*:*:*:*:*:*",
"matchCriteriaId": "6C6BA174-69D4-43FC-9395-1B6306A44CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update23:*:*:*:*:*:*",
"matchCriteriaId": "A465C229-D3FB-43E9-87BE-119BEE9110F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update24:*:*:*:*:*:*",
"matchCriteriaId": "32E98546-CE96-4BB8-A11C-F7E850C155F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*",
"matchCriteriaId": "DD43C626-F2F2-43BA-85AA-6ADAE8A6D11F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*",
"matchCriteriaId": "5C72C0E0-7D0B-4E8F-A109-7BB5DCA1C8D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*",
"matchCriteriaId": "7E796B04-FF54-4C02-979C-87E137A76F63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*",
"matchCriteriaId": "07C3D771-5E1B-46C4-AAF8-F425377582D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*",
"matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update3:*:*:*:*:*:*",
"matchCriteriaId": "88483D15-5860-42D7-BBF4-7EAE22C885DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*",
"matchCriteriaId": "E915FBC2-9BF7-4A99-B201-1F176D743494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*",
"matchCriteriaId": "E44E02C2-6F83-4525-BF9D-E82CE9A9880E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
"matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
"matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*",
"matchCriteriaId": "02D4C998-77F5-4428-A7B9-F7D909E23E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*",
"matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B5CE3202-2723-44A6-B63F-061138287FDA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user\u2019s TOTP to authenticate as the user."
}
],
"id": "CVE-2025-43798",
"lastModified": "2025-12-16T16:36:29.873",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@liferay.com",
"type": "Secondary"
}
]
},
"published": "2025-09-15T21:15:35.760",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43798"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-304"
}
],
"source": "security@liferay.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…