GHSA-4p5r-3jmm-652q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4p5r-3jmm-652q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-4p5r-3jmm-652q/GHSA-4p5r-3jmm-652q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4p5r-3jmm-652q
- Aliases
-
- CVE-2025-43798
- Published
- 2025-09-15T21:30:56Z
- Modified
- 2025-09-16T00:27:18.608056Z
- Severity
-
- 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Liferay DXP Missing Critical Step in Authentication
- Details
-
Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.
- Database specific
{ "severity": "LOW", "github_reviewed": true, "cwe_ids": [ "CWE-304" ], "github_reviewed_at": "2025-09-15T23:59:59Z", "nvd_published_at": "2025-09-15T21:15:35Z" }- References
Affected packages
Maven / com.liferay:com.liferay.multi.factor.authentication.timebased.otp.web
Package
- Name
- com.liferay:com.liferay.multi.factor.authentication.timebased.otp.web
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay/com.liferay.multi.factor.authentication.timebased.otp.web
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.0.25
Affected versions
1.*
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.0.26
1.0.27
1.0.28
1.0.29
1.0.30
1.0.31
1.0.32
1.0.33
1.0.34
1.0.35
1.0.36
1.0.37
1.0.38
1.0.39
1.0.40
1.0.41
1.0.42
1.0.43
1.0.44
1.0.45
1.0.46
1.0.47
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24