CVE-2025-43799: 
Java vulnerability analysis and mitigation

Liferay Portal and Liferay DXP contain a security vulnerability (CVE-2025-43799) where the system does not limit access to APIs before a user has changed their initial password. The vulnerability was discovered by security researcher 4rth4s and publicly disclosed on November 11, 2024. The affected versions include Liferay Portal 7.4.0 through 7.4.3.111 and older unsupported versions, Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, Liferay DXP 7.4 GA through update 92, and 7.3 GA through update 35 (Liferay Advisory).

The vulnerability is classified with a CVSS v4.0 base score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The technical nature of the vulnerability relates to improper access control implementation, specifically in the context of initial password change requirements. The issue is tracked under CWE-1393 (Use of Default Password) (NVD Database).

The vulnerability allows remote users to access and edit content via the API before changing their initial password, potentially compromising the security of the system. The impact is characterized by low confidentiality and integrity impacts, with no availability impact (Liferay Advisory).

The vulnerability has been fixed in the following versions: Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.1, Liferay DXP 2023.Q3.5, and Liferay DXP 7.3 U36. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Liferay Advisory).