CVE-2025-43793 Supercookie

Description

Liferay Portal and Liferay DXP may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read cookies set by the application.

Severity

6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

Affected Version(s)

  • Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions
  • Liferay DXP 2023.Q4.0
  • Liferay DXP 2023.Q3.1 through 2023.Q3.4
  • Liferay DXP 7.4 GA thorugh U92
  • Liferay DXP 7.3 GA thorugh U35, and older unsupported versions

Fixed Version(s)

  • Liferay Portal 7.4.3.106
  • Liferay DXP 2024.Q1.1
  • Liferay DXP 2023.Q4.1
  • Liferay DXP 2023.Q3.5
  • Liferay DXP 7.3 U36

Publication date: Mon, 15 Sep 2025 15:33:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.