CVE-2025-43768

HIGH

Liferay Portal/DXP <7.4.3.131, <2024.Q4.7, <2024.Q3.13, <2024.Q2.13...

Title source: llm

Description

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43768

Scores

CVSS v3 7.7

EPSS 0.0004

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Classification

CWE

CWE-201

Status published

Affected Products (10)

liferay/digital_experience_platform < 2024.Q1.16

liferay/digital_experience_platform

liferay/liferay_portal < 7.4.3.132

com.liferay.portal/com.liferay.portal.impl < 108.1.1Maven

Timeline

Published Aug 23, 2025

Tracked Since Feb 18, 2026