CVE-2025-43792 Staging site data exfiltration

Description

Remote staging in Liferay DXP does not properly obtain the remote address of the live site from the database which, which allows remote authenticated users to exfiltrate data to an attacker controlled server (i.e., a fake “live site”) via the _com_liferay_exportimport_web_portlet_ExportImportPortlet_remoteAddress and _com_liferay_exportimport_web_portlet_ExportImportPortlet_remotePort parameters. To successfully exploit this vulnerability, an attacker must also successfully obtain the staging server’s shared secret and add the attacker controlled server to the staging server’s whitelist.

Severity

2.3 (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)

Affected Version(s)

  • Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions
  • Liferay DXP 2023.Q4.0
  • Liferay DXP 2023.Q3.1 through 2023.Q3.4
  • Liferay DXP 7.4 GA thorugh U92
  • Liferay DXP 7.3 GA thorugh U35, and older unsupported versions

Fixed Version(s)

  • Liferay Portal 7.4.3.106
  • Liferay DXP 2024.Q1.1
  • Liferay DXP 2023.Q4.1
  • Liferay DXP 2023.Q3.5
  • Liferay DXP 7.3 U36

Publication date: Mon, 15 Sep 2025 16:21:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.