Description

In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user’s password reminder answer, which allows remote authenticated users to obtain a user’s password reminder answer via the audit events.

Remediation

References

CVE-2025-43814

Related Vulnerabilities

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2020-35626)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-28202)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-0215)

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-5293)

MediaWiki Credentials Management Errors Vulnerability (CVE-2015-8626)

Severity

Medium

Classification

CVE-2025-43814 CWE-201 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities