GHSA-q86r-gwqc-jx85
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q86r-gwqc-jx85
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-q86r-gwqc-jx85/GHSA-q86r-gwqc-jx85.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q86r-gwqc-jx85
- Aliases
-
- CVE-2025-43789
- Published
- 2025-09-12T03:33:06Z
- Modified
- 2025-09-15T13:59:44.861068Z
- Severity
-
- 1.0 (Low) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution
- Details
-
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed.
- Database specific
{ "nvd_published_at": "2025-09-12T03:15:41Z", "severity": "LOW", "cwe_ids": [ "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2025-09-15T13:46:34Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-43789
- https://github.com/liferay/liferay-portal/commit/576039619a12f28304c5153ad3fa5e39f00548b3
- https://github.com/liferay/liferay-portal/commit/cb349be999396e97883e5fa7ccf2d226737779ac
- https://github.com/liferay/liferay-portal/commit/dfdd81d51808e38098e9a3250f3c8819e0761377
- https://github.com/liferay/liferay-portal/commit/e91daba3736ea30674f0beb5f6622c6df057d18b
- https://github.com/liferay/liferay-portal
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43789
Affected packages
Maven / com.liferay:com.liferay.comment.web
Package
- Name
- com.liferay:com.liferay.comment.web
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay/com.liferay.comment.web