CVE-2025-43789
BaseFortify
Publication date: 2025-09-12
Last updated on: 2025-09-15
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | portal | 7.4.1 |
| liferay | dxp | 2024.q1.8 |
| liferay | dxp | 2024.q1.9 |
| liferay | dxp | 2024.q1.2 |
| liferay | dxp | 2024.q1.4 |
| liferay | dxp | 2024.q1.6 |
| liferay | dxp | 2024.q1.1 |
| liferay | dxp | 2024.q1.5 |
| liferay | dxp | 2024.q1.7 |
| liferay | portal | 7.4.3 |
| liferay | portal | 7.4.2 |
| liferay | portal | 7.4.0 |
| liferay | dxp | 2024.q1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves JSON Web Services in certain versions of Liferay Portal and Liferay DXP being registered and invoked directly as classes, which allows Service Access Policies to be executed. This means that the way these services are accessed could potentially bypass or improperly enforce access controls.
How can this vulnerability impact me? :
The vulnerability could impact you by allowing unauthorized or unintended access to services due to the direct invocation of JSON Web Services and execution of Service Access Policies. However, the CVSS score is low (1.0), indicating limited impact or exploitability.