Liferay DXP Incorrect Permission Assignment for Critical Resource Vulnerability - CVE-2025-43808

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112 and Liferay DXP 2023.Q4.0 through 2023.Q4.8 2023.Q3.1 through 2023.Q3.10 7.4 GA through update 92 and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission which allows remote attackers to access and download virtual products for free via a crafted URL.