CVE-2025-43750 — Unrestricted File Upload in Digital Experience Platform

CWE-434 — Unrestricted File Upload CWE-787 — Out-of-bounds Write5 documents5 sources

Severity

5.1MEDIUMNVD

EPSS

0.1%

top 78.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP Liferay Portal +1 more

Timeline

PublishedAug 20

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

▶NVDliferay/digital_experience_platform2024.Q1.1 — 2024.Q1.15+5

▶CVEListV5liferay/portal7.4.0 — 7.4.3.132

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.132

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+5

🔴Vulnerability Details

OSV

Liferay Portal Unvalidated File Upload↗2025-08-20

▶

GHSA

Liferay Portal Unvalidated File Upload↗2025-08-20

▶

CVEList

CVE-2025-43750: Liferay Portal 7↗2025-08-20

▶

📋Vendor Advisories

Microsoft

drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.↗2022-10-11

▶