CVE-2025-43768 – com.liferay.portal:com.liferay.portal.impl

Package

Manager: maven
Name: com.liferay.portal:com.liferay.portal.impl
Vulnerable Version: >=0 <108.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.00038 pctl0.10381

Details

Liferay Portal JSONWS API endpoint shares sensitive information Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.

Metadata

Created: 2025-08-23T03:30:43Z
Modified: 2025-08-25T20:45:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-cv9j-mg9w-v7wm/GHSA-cv9j-mg9w-v7wm.json
CWE IDs: ["CWE-201"]
Alternative ID: GHSA-cv9j-mg9w-v7wm
Finding: F038
Auto approve: 1