Fluid Attacks Database

Description

Liferay Portal's Organization Selector exposes organization data to remote authenticated users The Organization Selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay:com.liferay.organizations.item.selector.web	>=4.0.2 <4.0.22	4.0.22

Aliases

1. CVE-2025-437882. NVD-2025-437883. OSV-2025-437884. GCVE-2025-43788

References

1. https://github.com/liferay/liferay-portal/commit/730b0840530e2fbd98d482c9f1a1f0f8391a23692. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43788

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.