CVE-2025-43805 is a medium-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.3.0 through 7.4.3.111, and various 2023 Q3 and Q4 releases. The vulnerability stems from a missing authorization check (CWE-862) when users attempt to view display page templates. This flaw allows remote attackers to access display page templates by crafting specific URLs without requiring any authentication or user interaction. Display page templates in Liferay are used to define how content is presented, and unauthorized access to these templates could expose sensitive business logic, layout configurations, or proprietary design elements. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (VC:L) with no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue was reserved in April 2025 and published in September 2025, indicating recent discovery and disclosure. This vulnerability is significant because it allows unauthorized disclosure of potentially sensitive template information, which could be leveraged for further attacks or reconnaissance by adversaries targeting organizations using Liferay Portal or DXP.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of unauthorized information disclosure. Attackers could gain insight into the structure and design of web content, potentially exposing sensitive business processes or intellectual property embedded in display page templates. While the vulnerability does not allow modification or disruption of services, the leakage of template data could facilitate targeted phishing, social engineering, or more sophisticated attacks by revealing internal application logic. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that rely on Liferay for content management and portal services may find this particularly concerning. The ease of exploitation (no authentication or user interaction required) increases the risk of automated scanning and exploitation attempts. Although no active exploits are known, the public disclosure may prompt attackers to develop proof-of-concept exploits, increasing the urgency for mitigation. The impact on confidentiality could also have regulatory implications under GDPR if personal or sensitive data is indirectly exposed through templates.

European organizations should immediately audit their Liferay Portal and DXP installations to identify affected versions. Since no official patches are linked yet, organizations should implement compensating controls such as restricting access to the affected display page template URLs via web application firewalls (WAFs) or reverse proxies, applying strict URL filtering and access control rules. Monitoring web server logs for unusual or repeated access attempts to display page templates can help detect exploitation attempts early. Organizations should also consider temporarily disabling public access to display page templates if feasible. Engaging with Liferay support to obtain or expedite patches is critical once available. Additionally, organizations should review and harden their overall authorization policies and conduct penetration testing focused on authorization bypass scenarios. Maintaining up-to-date backups and ensuring incident response plans include scenarios for unauthorized data disclosure will improve resilience. Finally, educating developers and administrators about secure authorization practices can prevent similar issues in customizations or future versions.