CVE-2025-43784 — Incorrect Authorization in Digital Experience Platform

CWE-863 — Incorrect Authorization CWE-190 — Integer Overflow or Wraparound5 documents5 sources

Severity

6.2MEDIUMNVD

EPSS

0.0%

top 85.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 10

Description

Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entries information via the API Builder.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.125

▶CVEListV5liferay/portal7.4.0 — 7.4.3.124

▶NVDliferay/digital_experience_platform2024.Q1.1 — 2024.Q1.13+2

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+2

🔴Vulnerability Details

OSV

Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data↗2025-09-10

▶

GHSA

Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data↗2025-09-10

▶

CVEList

CVE-2025-43784: Improper Access Control vulnerability in Liferay Portal 7↗2025-09-10

▶

📋Vendor Advisories

Microsoft

Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration↗2021-12-14

▶