CVE-2025-43808 is a vulnerability identified in the Commerce component of Liferay Portal versions 7.3.0 through 7.4.3.112 and various Liferay DXP releases from 2023.Q3.1 through 2023.Q4.8, including 7.4 GA through update 92 and 7.3 service pack 3 through update 35. The issue stems from incorrect permission assignment (CWE-732) where virtual products uploaded to the Documents and Media repository are saved with guest view permissions by default. This misconfiguration allows unauthenticated remote attackers to access and download these virtual products freely by crafting specific URLs, bypassing intended access controls. The vulnerability does not require authentication or user interaction, and it affects confidentiality by exposing potentially sensitive or paid digital content without authorization. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited impact confined to confidentiality. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The root cause is improper access control on critical resources within the portal's commerce module, leading to unauthorized data disclosure risks.

For European organizations using Liferay Portal or Liferay DXP with the affected versions, this vulnerability can lead to unauthorized access and free download of virtual products, causing direct financial losses and intellectual property theft. Organizations relying on Liferay Commerce for digital goods sales risk revenue leakage and erosion of customer trust. Additionally, exposure of sensitive product data could harm competitive advantage and violate data protection regulations if personal or proprietary information is embedded within virtual products. The lack of authentication requirement means attackers can exploit this vulnerability remotely without prior access, increasing the attack surface. This can also lead to reputational damage and potential legal consequences under GDPR if customer data is indirectly exposed. The medium severity rating indicates a significant but not catastrophic impact, emphasizing the need for timely remediation to prevent exploitation.

Organizations should immediately audit their Liferay Portal and DXP environments to identify the presence of affected versions. Until official patches are released, administrators should manually review and adjust permissions on Documents and Media repositories, specifically ensuring that virtual products do not have guest or public view permissions. Implement strict access control policies restricting document visibility to authenticated and authorized users only. Employ web application firewalls (WAF) to monitor and block suspicious URL patterns that attempt to access virtual product resources. Regularly monitor logs for unusual download activity indicative of exploitation attempts. Additionally, consider disabling or restricting the Commerce component if not in active use. Stay updated with Liferay security advisories for patch releases and apply them promptly once available. Conduct internal penetration testing focusing on access control weaknesses in the portal's media storage areas.