CVE-2025-43814 is a medium severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, including 7.4.0 through 7.4.3.112, 7.4 GA through update 92, and various 2023 Q3 and Q4 releases. The vulnerability is classified under CWE-201, which involves the insertion of sensitive information into sent data. Specifically, the issue arises because the audit event logs record a user's password reminder answer in plaintext. This sensitive information is accessible to remote authenticated users who have the necessary privileges to view audit events. Since the password reminder answer is often used as a secondary authentication factor or for account recovery, its exposure can facilitate unauthorized account access or further social engineering attacks. The CVSS 4.0 score is 6.9 (medium), reflecting that the vulnerability can be exploited remotely without user interaction but requires authenticated access with high privileges. The vulnerability does not impact confidentiality, integrity, or availability of the system broadly but compromises sensitive user information confidentiality within audit logs. There are no known exploits in the wild as of the publication date, and no official patches have been linked yet. The root cause is improper handling and logging of sensitive data within audit events, violating best practices for sensitive information management.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of sensitive credential information leakage. Attackers with authenticated access to audit logs can retrieve password reminder answers, potentially enabling account takeover or lateral movement within the organization. This risk is particularly critical for organizations with large user bases or those that rely on password reminders for account recovery. The exposure of such sensitive data can lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. Additionally, if attackers leverage this information to escalate privileges or access sensitive business data, it could lead to data breaches or operational disruptions. The impact is heightened in sectors with strict compliance requirements such as finance, healthcare, and government entities prevalent in Europe.

Organizations should immediately audit their Liferay Portal and DXP installations to identify affected versions. Until patches are available, restrict access to audit event logs strictly to the minimum necessary personnel with high trust levels. Implement additional monitoring and alerting on audit log access to detect suspicious activity. Consider disabling or limiting audit logging of sensitive user information if configurable. Review and update internal policies to ensure sensitive data is never logged in plaintext. When patches become available from Liferay, prioritize their deployment. Additionally, enforce strong authentication and authorization controls around audit log access, including multi-factor authentication and role-based access controls. Conduct user awareness training to mitigate risks from compromised password reminder answers. Finally, review and enhance incident response plans to address potential exploitation scenarios involving leaked password reminder answers.