CVE-2025-43784
published 2025-09-10CVE-2025-43784: Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and…
medium6.2CVSS 4.0
AVNACLATNPRLUIAVCNVINVANSCHSIHSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entries information via the API Builder.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| liferay | digital_experience_platform | — | — |
| liferay | digital_experience_platform | >= 2024.Q1.1 < 2024.Q1.13 | 2024.Q1.13 |
| liferay | digital_experience_platform | >= 2024.Q2.0 < 2024.Q2.9 | 2024.Q2.9 |
| liferay | dxp | 2024.Q1.1 – 2024.Q1.12 | — |
| liferay | dxp | 2024.Q2.0 – 2024.Q2.8 | — |
| liferay | dxp | 7.4.13 – 7.4.13-u92 | — |
| liferay | liferay_portal | >= 7.4.0 < 7.4.3.125 | 7.4.3.125 |
| liferay | portal | 7.4.0 – 7.4.3.124 | — |
| msrc | cbl2_moby-runc_1.1.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_moby-runc_1.1.0+azure-2_on_cbl_mariner_1.0 | — | — |