CVE-2025-43743 is a medium-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases of Liferay DXP from 2024.Q1.1 through 2025.Q1.5. The vulnerability is categorized under CWE-203, which relates to Observable Discrepancy. This flaw allows any authenticated remote user to enumerate the names of other users by exploiting the calendar functionality. By enumerating user names, an attacker can view other users' calendars without proper authorization. This exposure of user information can facilitate targeted phishing attacks or social engineering campaigns by revealing valid user identities and schedules. The vulnerability does not require user interaction beyond authentication, and no elevated privileges are needed to exploit it. The CVSS v4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L - low privileges), and no user interaction (UI:N). The impact is limited primarily to confidentiality (VC:L), with no direct impact on integrity or availability. There are no known exploits in the wild at this time, and no official patches have been linked yet. The vulnerability's root cause lies in insufficient access control or information disclosure in the calendar feature, allowing authenticated users to enumerate and view other users' calendar data, which should be restricted. This can lead to privacy violations and increase the risk of successful phishing attacks targeting employees by revealing their schedules and identities.

For European organizations using affected versions of Liferay Portal or Liferay DXP, this vulnerability poses a moderate privacy and security risk. The exposure of user calendars and the ability to enumerate valid user names can facilitate targeted phishing and social engineering attacks, which are common vectors for initial compromise in corporate networks. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) may face compliance risks due to unauthorized disclosure of user information. Additionally, the visibility into employee schedules can aid attackers in timing attacks or physical intrusions. While the vulnerability does not directly compromise system integrity or availability, the indirect consequences of successful phishing campaigns can lead to credential theft, lateral movement, and data breaches. European entities in sectors such as finance, government, healthcare, and critical infrastructure, which often use Liferay for intranet portals and collaboration, may be particularly impacted. The medium severity rating suggests that while the vulnerability is not critical, it should be addressed promptly to reduce the attack surface and protect user privacy.

1. Immediate mitigation should include restricting access to calendar functionalities to only those users who require it, applying the principle of least privilege. 2. Implement monitoring and alerting for unusual access patterns to calendar data or user enumeration attempts. 3. Employ multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. 4. Educate users about phishing risks, especially in light of the increased risk due to exposed user information. 5. Regularly audit user permissions and calendar sharing settings to ensure no excessive exposure. 6. Since no official patches are currently linked, organizations should engage with Liferay support or their vendor to obtain patches or workarounds as soon as they become available. 7. Consider deploying Web Application Firewalls (WAF) with rules to detect and block enumeration attempts targeting calendar endpoints. 8. Review and harden API endpoints related to user data enumeration to enforce strict access controls. 9. If feasible, temporarily disable calendar sharing features until a patch is applied. These steps go beyond generic advice by focusing on access control tightening, monitoring, user education, and proactive vendor engagement.