CVE-2025-43799: 
Java vulnerability analysis and mitigation

CVE-2025-43799 affects Liferay Portal and Liferay DXP systems, where the application fails to limit access to APIs before users change their initial passwords. The vulnerability was discovered and reported by security researcher 4rth4s, and was publicly disclosed on November 11, 2024. The affected versions include Liferay Portal 7.4.0 through 7.4.3.111 and older unsupported versions, as well as various Liferay DXP versions including 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 (Liferay Advisory).

The vulnerability is classified with a CVSS v3.1 score of 6.5, indicating a medium severity level. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with low impacts on both confidentiality (C:L) and integrity (I:L), while having no impact on availability (A:N). The vulnerability is tracked under CWE-1393 (Use of Default Password) (Liferay Advisory, NVD).

The vulnerability allows remote users to access and edit content via the API before changing their initial password, potentially compromising the security of the system. This bypass of the password change requirement could lead to unauthorized access and modification of content, affecting both the confidentiality and integrity of the system (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.1, Liferay DXP 2023.Q3.5, or Liferay DXP 7.3 U36 depending on their current version (Liferay Advisory).