CVE-2025-43798

MEDIUM

Liferay DXP <2023.Q4.0, 2023.Q3.1-2023.Q3.4, 7.4 GA-92, 7.3 GA-35 -...

Title source: llm

Description

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43798

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 9.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-304

Status published

Products (5)

com.liferay/com.liferay.multi.factor.authentication.timebased.otp.web 0 - 2.0.25Maven

liferay/digital_experience_platform 7.3 (41 CPE variants)

liferay/digital_experience_platform 7.4

liferay/digital_experience_platform 2023.q4.0

liferay/digital_experience_platform 2023.q3.1 - 2023.q3.5

Published Sep 15, 2025

Tracked Since Feb 18, 2026