CVE-2025-43803 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the Contacts Center widget of Liferay Portal versions 7.4.0 through 7.4.3.119 and several versions of Liferay DXP, including 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92, as well as older unsupported versions. The vulnerability arises due to insufficient access control on the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter, which is used to reference contact entries. Remote attackers can exploit this flaw by manipulating this parameter to access contact information such as names and email addresses without proper authorization. This exposure of personally identifiable information (PII) constitutes a breach of confidentiality. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the moderate impact on confidentiality and the ease of exploitation. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The issue is classified under CWE-639, which pertains to improper authorization leading to IDOR vulnerabilities. Organizations using affected Liferay Portal or DXP versions should consider this a significant privacy risk, especially where contact data is sensitive or regulated.

For European organizations, the exposure of contact information such as names and email addresses can lead to privacy violations under the General Data Protection Regulation (GDPR), potentially resulting in regulatory fines and reputational damage. The unauthorized disclosure of PII could facilitate targeted phishing attacks, social engineering, or identity theft. Since Liferay Portal is commonly used by enterprises, public sector entities, and educational institutions across Europe for intranet and customer portals, this vulnerability could affect a broad range of sectors. The lack of authentication requirement means attackers can exploit the flaw remotely without credentials, increasing the risk of widespread data leakage. Additionally, organizations relying on Liferay for managing sensitive contact databases may face compliance challenges and loss of trust from clients and partners. Although the vulnerability does not directly impact system integrity or availability, the confidentiality breach alone is significant in the European regulatory and threat landscape.

1. Immediate mitigation should include restricting access to the Contacts Center widget to authenticated and authorized users only, using web application firewalls (WAFs) to monitor and block suspicious requests manipulating the entryId parameter. 2. Organizations should implement strict access control policies within Liferay, ensuring that contact data is only accessible to users with appropriate permissions. 3. Monitor web server and application logs for unusual access patterns targeting the Contacts Center widget or the entryId parameter. 4. If possible, disable or remove the Contacts Center widget temporarily until a vendor patch is available. 5. Regularly update Liferay Portal and DXP to the latest versions once official patches addressing CVE-2025-43803 are released. 6. Conduct internal audits to identify any unauthorized data access or exfiltration related to this vulnerability. 7. Educate staff about phishing risks that could arise from leaked contact information. 8. Consider network segmentation to limit exposure of Liferay Portal instances to trusted networks only. These steps go beyond generic advice by focusing on immediate access control hardening, monitoring, and temporary disabling of vulnerable components.