CVE-2025-43743: 
Java vulnerability analysis and mitigation

CVE-2025-43743 is a security vulnerability affecting Liferay Portal and Liferay DXP platforms. The vulnerability was discovered and disclosed on August 19, 2025, affecting multiple versions including Liferay Portal 7.4.0 through 7.4.3.132, and various Liferay DXP versions from 2024.Q1 through 2025.Q1. This vulnerability allows authenticated remote users to view other users' calendars by enumerating user names, potentially enabling phishing attacks (Liferay Advisory).

The vulnerability has been assigned a CVSS 4.0 Base Score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. It is classified under CWE-203 (Observable Discrepancy). The vulnerability specifically relates to information disclosure through calendar access permissions, allowing authenticated users to enumerate other users' information (NVD).

The primary impact of this vulnerability is the potential exposure of user information through calendar access and user enumeration capabilities. This information disclosure could be leveraged by attackers to conduct targeted phishing campaigns against identified users (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal's fixed master branch version, Liferay DXP 2025.Q2.0, DXP 2025.Q1.6, or DXP 2024.Q1.16 (Liferay Advisory).

The French national cybersecurity agency (CERT-FR) has issued a security advisory (CERTFR-2025-AVI-0713) addressing this vulnerability along with other Liferay security issues, indicating significant attention from national security organizations (CERT-FR).