N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43808

GHSA ID

GHSA-chr3-w547-85hw

EPSS Score

CWE

CWE-732

Published

9/19/2025

Updated

9/19/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43808

CVE-2025-43808: Liferay Portal Commerce component has Incorrect Permission Assignment for Critical Resource

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43808

GHSA ID

GHSA-chr3-w547-85hw

EPSS Score

CWE

CWE-732

Published

9/19/2025

Updated

9/19/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.commerce:com.liferay.commerce.product.type.virtual.service	maven	< 4.0.47	4.0.47

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

T** *omm*r** *ompon*nt in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, *.* ** t*rou** up**t* **, *n* *.* s*rvi** p**k * t*rou** up**t* ** s*v*s virtu*l pro*u*ts uplo**** to *o*um*n

Reasoning

No *n*lysis *v*il**l*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-43808: Liferay Portal Commerce component has Incorrect Permission Assignment for Critical Resource

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI