CVE-2025-43736 – com.liferay:com.liferay.account.admin.web

Package

Manager: maven
Name: com.liferay:com.liferay.account.admin.web
Vulnerable Version: >=0 <2.0.138

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/RE:L

EPSS: 0.00055 pctl0.17251

Details

Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload a profile picture of more than 300kb into a user profile. This size is more than the noted max 300kb size. This extra data can significantly slow down the Liferay service.

Metadata

Created: 2025-08-12T12:30:32Z
Modified: 2025-08-12T19:54:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-cg99-m88x-422c/GHSA-cg99-m88x-422c.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-cg99-m88x-422c
Finding: F029
Auto approve: 1