The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
References
| Link | Resource |
|---|---|
| https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43788 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
16 Dec 2025, 15:13
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
| First Time |
Liferay
Liferay liferay Portal Liferay digital Experience Platform |
|
| CPE | cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:* cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:* cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* |
|
| References | () https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43788 - Vendor Advisory |
12 Sep 2025, 03:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-12 03:15
Updated : 2025-12-16 15:13
NVD link : CVE-2025-43788
Mitre link : CVE-2025-43788
CVE.ORG link : CVE-2025-43788
JSON object : View
Products Affected
liferay
- digital_experience_platform
- liferay_portal
CWE
CWE-862
Missing Authorization