CVE-2025-43788
BaseFortify
Publication date: 2025-09-12
Last updated on: 2025-12-16
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2024.Q1.1 (inc) to 2024.Q1.13 (exc) |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | liferay_portal | From 7.4.3.81 (inc) to 7.4.3.85 (inc) |
| liferay | liferay_portal | From 7.4.3.94 (inc) to 7.4.3.125 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the organization selector component of Liferay Portal versions 7.4.0 through 7.4.3.124, and Liferay DXP versions 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85. It occurs because the system does not properly check user permissions, allowing remote authenticated users to access and obtain a list of all organizations without proper authorization.
How can this vulnerability impact me? :
The impact of this vulnerability is that remote authenticated users can gain unauthorized access to sensitive organizational information by obtaining a list of all organizations. This could lead to information disclosure and potentially aid attackers in further targeting or reconnaissance activities within the affected system.