Vulnerability Database

296,676

Total vulnerabilities in the database

CVE-2025-43808

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.

Published: Sep 19, 2025
Updated: Sep 20, 2025
CVE: CVE-2025-43808
GHSA: GHSA-chr3-w547-85hw
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-732

Affected Software
References

Software	From	Fixed in
com.liferay.commerce / com.liferay.commerce.product.type.virtual.service	-	4.0.47

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43808

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo