CVE-2025-43814: Liferay Portal and DXP audit events record password reminder answers
In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user’s password reminder answer, which allows remote authenticated users to obtain a user’s password reminder answer via the audit events.
References
- github.com/advisories/GHSA-ph63-chvv-8x46
- github.com/liferay/liferay-portal
- github.com/liferay/liferay-portal/commit/6d0f123c838b96fd71fb97f422366ffa43391121
- github.com/liferay/liferay-portal/commit/76c9c38f21614bf0dca877057b13f6a449c041e8
- liferay.atlassian.net/browse/LPE-17937
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43814
- nvd.nist.gov/vuln/detail/CVE-2025-43814
Code Behaviors & Features
Detect and mitigate CVE-2025-43814 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →