CVE-2025-43803: 
Java vulnerability analysis and mitigation

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in the Contacts Center widget affecting Liferay Portal and Liferay DXP systems. The vulnerability, identified as CVE-2025-43803, was disclosed on November 11, 2024, and affects multiple versions including Liferay Portal 7.4.0 through 7.4.3.119 and Liferay DXP versions from 2023.Q3.1 through 2023.Q4.6. The vulnerability was discovered by security researcher foobar7 (Liferay Advisory).

The vulnerability exists in the Contacts Center widget's handling of the comliferaycontactswebportletContactsCenterPortletentryId parameter. It has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD Database, [Liferay Advisory](https://liferay.dev/portal/security/known-vulnerabilities/-/assetpublisher/jekt/content/CVE-2025-43803)).

When exploited, this vulnerability allows remote attackers to view sensitive contact information, specifically including contact names and email addresses, without proper authorization. The impact is limited to data exposure without any system compromise or modification capabilities (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, Liferay DXP 2024.Q1.1, or Liferay DXP 2023.Q4.7 to mitigate the risk (Liferay Advisory).