CVE-2025-43806

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-43806

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43806.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-43806

Aliases

GHSA-pm45-xx4q-fmv7

Published

2025-09-22T22:15:43.057Z

Modified

2025-12-14T04:49:06.401303Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 does not properly check permission with import and export tasks, which allows remote authenticated users to access the exported data via the REST APIs.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43806

Affected packages

Git / github.com/liferay/liferay-portal

Affected ranges

Type: GIT
Repo: https://github.com/liferay/liferay-portal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

99206814748a429237e8d56ece5f9c5a8221c4d3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43806.json"