CVE-2025-43763

MEDIUM

Liferay Portal 7.4.0-7.4.3.131 & DXP 2024.Q1.1-2024.Q1.20 SSRF via Custom Object Attachment Fields

Title source: llm

Description

A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43763

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 11.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

com.liferay/com.liferay.object.service 0 - 1.0.208Maven

liferay/digital_experience_platform 2024.q1.1 - 2024.q1.21

liferay/liferay_portal 7.4.0 - 7.4.3.132

Published Sep 09, 2025

Tracked Since Feb 18, 2026