CVE-2025-43803
📋 TL;DR
An insecure direct object reference (IDOR) vulnerability in Liferay's Contacts Center widget allows remote attackers to access contact information they shouldn't have permission to view. Attackers can retrieve names and email addresses by manipulating the entryId parameter. This affects Liferay Portal 7.4.0-7.4.3.119 and Liferay DXP multiple versions including 2023.Q4.0-2023.Q4.6 and 7.4 GA through update 92.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Mass data exfiltration of all contact information leading to privacy violations, targeted phishing campaigns, or identity theft.
Likely Case
Limited unauthorized access to contact data, potentially exposing sensitive personal information of users or customers.
If Mitigated
Minimal impact with proper access controls and monitoring detecting unauthorized parameter manipulation attempts.
🎯 Exploit Status
Exploitation requires understanding of the parameter structure and valid entry IDs, but no authentication bypass is needed beyond accessing the widget.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.120+, Liferay DXP 2023.Q4.7+, 2023.Q3.11+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43803
Restart Required: No
Instructions:
1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack according to Liferay's deployment documentation. 3. Verify the Contacts Center widget no longer accepts unauthorized entryId parameters.
🔧 Temporary Workarounds
Disable Contacts Center Widget
allRemove or disable the vulnerable Contacts Center widget from all pages and portlet configurations.
Navigate to Control Panel > Widgets > Contacts Center > Configuration > Set 'Active' to false
Implement Parameter Validation Filter
allAdd a servlet filter to validate entryId parameters against user permissions before processing.
Custom development required - implement filter to check user permissions against requested entryId
🧯 If You Can't Patch
- Implement strict access controls and monitoring for the Contacts Center widget endpoints
- Deploy a WAF with rules to detect and block suspicious parameter manipulation attempts
🔍 How to Verify
Check if Vulnerable:
Test by accessing the Contacts Center widget and manipulating the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter with different values to see if unauthorized contact data is returned.Check Version:
Check Liferay version via Control Panel > Server Administration > Properties > liferay.versionVerify Fix Applied:
After patching, attempt the same parameter manipulation - it should return access denied errors or no data for unauthorized requests.📡 Detection & Monitoring
Log Indicators:
- Multiple failed access attempts to contact endpoints
- Unusual parameter values in Contacts Center requests
- Access logs showing sequential entryId parameter testing
Network Indicators:
- Unusual patterns of requests to /contacts-center endpoints with varying entryId parameters
- Traffic spikes to contact data endpoints
SIEM Query:
source="liferay.logs" AND (uri_path="/contacts-center" OR parameter_name="entryId") AND (status_code=200 OR parameter_value!="authorized_value")