CVE-2025-43797

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-43797

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43797.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-43797

Aliases

GHSA-25m3-w28p-v3v3

Published

2025-09-15T22:15:33.873Z

Modified

2025-12-18T05:56:56.362144Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “Open” which allows any registered users to become a member of the site. A remote attacker with site membership can potentially view, add or edit content on the site.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43797

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type: GIT
Repo: https://github.com/liferay/liferay-portal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b8c35409971bf2f43bb7e28bd1638daab05ce6fa

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43797.json"