CVE-2025-43808: 
Java vulnerability analysis and mitigation

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 contains a security vulnerability identified as CVE-2025-43808. The vulnerability was discovered and reported by foobar7, with a publication date of November 4, 2024. The issue has been assigned a CVSS v4.0 score of 6.9 (Medium) (Liferay Advisory).

The vulnerability stems from an incorrect permission assignment for critical resources (CWE-732). Specifically, the Commerce component saves virtual products uploaded to Documents and Media with guest view permission. The vulnerability has been assigned a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows remote attackers to access and download virtual products for free via a crafted URL. This unauthorized access to virtual products could result in financial losses for organizations using the affected versions of Liferay Portal and DXP (Liferay Advisory).

Organizations should upgrade to the fixed versions: Liferay Portal 7.4.3.113, Liferay DXP 2024.Q1.1, or Liferay DXP 2023.Q4.9 (Liferay Advisory).