CVE-2025-43751: 
Java vulnerability analysis and mitigation

User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP versions ranging from 2023.Q3.1 through 2024.Q4.7 allows remote attackers to determine if an account exists in the application via the create account page. The vulnerability was discovered and disclosed on August 22, 2025, affecting multiple versions of Liferay Portal and Liferay DXP platforms (Liferay Security).

The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. The weakness has been categorized as CWE-203 (Observable Discrepancy), indicating that the vulnerability allows attackers to gather information about user accounts through observable differences in system behavior (NVD).

The vulnerability enables remote attackers to enumerate valid user accounts within the Liferay platform through the create account page. This information disclosure could potentially be used as a stepping stone for further attacks, such as targeted phishing campaigns or brute force attempts (Liferay Security).

Fixed versions have been released including Liferay Portal fixed on master branch, Liferay DXP 2024.Q1.15, Liferay DXP 2025.Q1.0, and Liferay DXP 2025.Q2.0. Organizations are advised to upgrade to these patched versions to address the vulnerability (Liferay Security).