CVE-2025-43789 — Incorrect Authorization in Digital Experience Platform

CWE-863 — Incorrect Authorization CWE-125 — Out-of-bounds Read5 documents5 sources

Severity

1.0LOWNVD

EPSS

0.0%

top 89.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 12

Description

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed.

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.120

▶CVEListV5liferay/portal7.4.0 — 7.4.3.119

▶NVDliferay/digital_experience_platform2024.Q1.1 — 2024.Q1.10+1

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+1

🔴Vulnerability Details

CVEList

CVE-2025-43789: JSON Web Services in Liferay Portal 7↗2025-09-12

▶

OSV

Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution↗2025-09-12

▶

GHSA

Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution↗2025-09-12

▶

📋Vendor Advisories

Microsoft

Libxpm: out of bounds read on xpm with corrupted colormap↗2023-10-10

▶