7.1

CVE-2025-43748

Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request Forgery

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLiferay
Produkt Portal
Default Statusunaffected
Version <= 7.4.3.119
Version 7.0.0
Status affected
HerstellerLiferay
Produkt DXP
Default Statusunaffected
Version <= portal-173
Version 6.2.0
Status affected
Version <= de-102
Version 7.0.10
Status affected
Version <= dxp-28
Version 7.1.10
Status affected
Version <= dxp-20
Version 7.2.10
Status affected
Version <= 7.3.10-u36
Version 7.3.10
Status affected
Version <= 7.4.13-u92
Version 7.4.13
Status affected
Version <= 2023.Q3.9
Version 2023.Q3.1
Status affected
Version <= 2023.Q4.9
Version 2023.Q4.0
Status affected
Version <= 2024.Q1.6
Version 2024.Q1.1
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.053
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@liferay.com 7.1 0 0
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.