CVE-2025-43768

Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs.

Published: Aug 23, 2025
Updated: Aug 26, 2025
CVE: CVE-2025-43768
GHSA: GHSA-cv9j-mg9w-v7wm
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-201

Affected Software
References

Software	From	Fixed in
com.liferay.portal / com.liferay.portal.impl	-	108.1.1

https://github.com/liferay/liferay-portal/commit/efdbdbce73605ecd13b1a5e60f5186cc59f09c16
https://liferay.atlassian.net/browse/LPE-18154
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43768

Vulnerability Database

CVE-2025-43768