CVE-2025-43768

HIGH

Liferay Portal/DXP <7.4.3.131, <2024.Q4.7, <2024.Q3.13, <2024.Q2.13...

Title source: llm
STIX 2.1

Description

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.

References (1)

Scores

CVSS v3 7.7
EPSS 0.0004
EPSS Percentile 13.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-201
Status published
Products (4)
com.liferay.portal/com.liferay.portal.impl 0 - 108.1.1Maven
liferay/digital_experience_platform 7.4 update86 (7 CPE variants)
liferay/digital_experience_platform 2024.Q1.1 - 2024.Q1.16
liferay/liferay_portal 7.4.0 - 7.4.3.132
Published Aug 23, 2025
Tracked Since Feb 18, 2026