CVE-2025-43768

Source
https://cve.org/CVERecord?id=CVE-2025-43768
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43768.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43768
Aliases
Published
2025-08-23T03:15:30.123Z
Modified
2026-07-09T17:04:21.686506Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "2024.Q1.1"
                },
                {
                    "fixed": "2024.Q1.16"
                },
                {
                    "introduced": "2024.q2.0"
                },
                {
                    "last_affected": "2024.q2.13"
                },
                {
                    "introduced": "2024.q3.1"
                },
                {
                    "last_affected": "2024.q3.13"
                }
            ],
            "vendor_product": "liferay:digital_experience_platform",
            "source": "CPE_RANGE"
        },
        {
            "cpes": [
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*",
                "cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "7.4-update86"
                },
                {
                    "last_affected": "7.4-update86"
                },
                {
                    "introduced": "7.4-update87"
                },
                {
                    "last_affected": "7.4-update87"
                },
                {
                    "introduced": "7.4-update88"
                },
                {
                    "last_affected": "7.4-update88"
                },
                {
                    "introduced": "7.4-update89"
                },
                {
                    "last_affected": "7.4-update89"
                },
                {
                    "introduced": "7.4-update90"
                },
                {
                    "last_affected": "7.4-update90"
                },
                {
                    "introduced": "7.4-update91"
                },
                {
                    "last_affected": "7.4-update91"
                },
                {
                    "introduced": "7.4-update92"
                },
                {
                    "last_affected": "7.4-update92"
                }
            ],
            "vendor_product": "liferay:digital_experience_platform",
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type
GIT
Repo
https://github.com/liferay/liferay-portal
Events
Database specific
{
    "cpe": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "7.4.0"
        },
        {
            "fixed": "7.4.3.132"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

7.*
7.4.0-ga1
7.4.1-ga2
7.4.2-ga3
7.4.3.4-ga4
7.4.3.41-ga41
7.4.3.5-ga5
7.4.3.6-ga6
7.4.3.7-ga7
7.4.3.88-ga88

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/liferay/liferay-portal/commit/a9017d1f654503189fcd6eecd59bd501a7015b8c",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "103302773237074788461801313682446763330",
                "60853900272161977226321758184551802988",
                "191378307748951099486338189471951812045",
                "164880871512209417113954673574280468464",
                "202485877113214607873722865538960039931",
                "60853900272161977226321758184551802988",
                "191378307748951099486338189471951812045",
                "164880871512209417113954673574280468464"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2025-43768-0b9fe555",
        "target": {
            "file": "portal-kernel/src/com/liferay/portal/kernel/upgrade/BasePortletPreferencesUpgradeProcess.java"
        }
    },
    {
        "source": "https://github.com/liferay/liferay-portal/commit/a9017d1f654503189fcd6eecd59bd501a7015b8c",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "170699539902466296749337177159259793854",
            "length": 2763.0
        },
        "deprecated": false,
        "id": "CVE-2025-43768-98b65317",
        "target": {
            "function": "_upgradePortletPreferenceValues",
            "file": "portal-kernel/src/com/liferay/portal/kernel/upgrade/BasePortletPreferencesUpgradeProcess.java"
        }
    }
]
vanir_signatures_modified
"2026-07-09T17:04:21Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43768.json"