CVE-2025-43797 is a medium-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, including versions 7.1.0 through 7.4.3.111 and various 2023 quarterly releases. The core issue stems from the insecure default initialization of a newly created site's membership type, which is set to "Open" by default. This configuration allows any registered user on the platform to automatically become a member of the site without explicit approval or invitation. Once a user gains membership, they can potentially view, add, or edit content within the site. This vulnerability is categorized under CWE-1188, which refers to insecure default initialization of resources, leading to unintended access permissions. The CVSS 4.0 base score is 5.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), privileges required (PR:L) at a low level, no user interaction (UI:N), and low impact on confidentiality and integrity, with no impact on availability. The vulnerability does not require user interaction and can be exploited remotely by any registered user, making it a significant risk for organizations relying on Liferay Portal for collaboration or content management. No known exploits are currently reported in the wild, and no patches are linked in the provided data, indicating that mitigation may require configuration changes or vendor updates once available.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of unauthorized access and modification of site content by any registered user, potentially including internal employees or external users with registered accounts. This could lead to data leakage, unauthorized data manipulation, or defacement of corporate or public-facing sites. The impact is particularly relevant for organizations that use Liferay for sensitive intranet portals, customer engagement platforms, or public information sites where content integrity and confidentiality are critical. The ability for any registered user to join sites without restriction may also facilitate insider threats or lateral movement within the platform. Given the medium severity, the impact on confidentiality and integrity is limited but non-negligible, especially in regulated sectors such as finance, healthcare, or government services within Europe, where data protection compliance (e.g., GDPR) is mandatory. Availability is not impacted, so denial-of-service is not a concern here. However, reputational damage and compliance violations could arise from unauthorized content changes or data exposure.

European organizations should immediately review and modify the default site membership settings in their Liferay Portal and DXP installations to restrict automatic membership. Administrators should configure new sites to use a more restrictive membership type, such as "Private" or "Restricted," requiring explicit approval for membership. Additionally, organizations should audit existing sites to identify any that have the default "Open" membership and adjust their settings accordingly. Implementing strict user registration and verification processes can reduce the risk of malicious users gaining registered accounts. Monitoring and logging membership changes and content modifications will help detect unauthorized activities early. Organizations should also stay alert for official patches or updates from Liferay addressing this vulnerability and apply them promptly once available. Network segmentation and access controls limiting who can register or access the portal may further reduce exposure. Finally, user education about the risks of unauthorized content changes and regular security assessments of the portal configuration are recommended.