GHSA-v53g-736w-mgw4

Source

https://github.com/advisories/GHSA-v53g-736w-mgw4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-v53g-736w-mgw4/GHSA-v53g-736w-mgw4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v53g-736w-mgw4

Aliases

CVE-2025-43788

Published

2025-09-12T03:33:06Z

Modified

2025-09-15T14:27:20.708942Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Liferay Portal's Organization Selector exposes organization data to remote authenticated users

Details

The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed_at": "2025-09-15T13:42:36Z",
    "nvd_published_at": "2025-09-12T03:15:41Z"
}

References

Affected packages

Maven / com.liferay:com.liferay.organizations.item.selector.web

Package

Name: com.liferay:com.liferay.organizations.item.selector.web; View open source insights on deps.dev
Purl: pkg:maven/com.liferay/com.liferay.organizations.item.selector.web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.2

Fixed

4.0.22

Affected versions

4.*

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.17

4.0.18

4.0.19

4.0.20

4.0.21