CVE-2025-43768Sensitive Info Insertion into Sent Data in Digital Experience Platform

CWE-201Sensitive Info Insertion into Sent Data4 documents4 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 87.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay Digital Experience PlatformLiferay PortalLiferay DXP+1 more
Timeline
PublishedAug 23

Description

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages4 packages

NVDliferay/liferay_portal7.4.07.4.3.132
CVEListV5liferay/portal7.4.07.4.3.131
NVDliferay/digital_experience_platform2024.Q1.12024.Q1.16+3
CVEListV5liferay/dxp7.4.137.4.13-u92+4

🔴Vulnerability Details

3
GHSA
Liferay Portal JSONWS API endpoint shares sensitive information2025-08-23
CVEList
CVE-2025-43768: Liferay Portal 72025-08-23
OSV
Liferay Portal JSONWS API endpoint shares sensitive information2025-08-23
CVE-2025-43768 — MEDIUM severity | cvebase