Security Listings

Liferay DXP 2025.Q2

4.8

CVE-2025-43747 SSRF in Analytics Cloud domain validation

Description

A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and malicious domains.

Severity

4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)

Affected Version(s)

Liferay DXP 2025.Q2.0 through 2025.Q2.3

Fixed Version(s)

Liferay Portal fixed on master branch
Liferay DXP 2025.Q2.4

CVE-2025-43747

Publication Date:

augustus 18, 2025

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback