CVE-2025-43825

EPSS 0.05%
Veröffentlicht 03.10.2025 21:16:28
Zuletzt bearbeitet 15.12.2025 18:22:05
Quelle security@liferay.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 9 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Liferay ≫ Digital Experience Platform Version >= 2023.Q3.1 <= 2023.Q3.10

Liferay ≫ Digital Experience Platform Version >= 2023.q4.0 <= 2023.q4.10

Liferay ≫ Digital Experience Platform Version >= 2024.Q1.1 < 2024.Q1.13

Liferay ≫ Digital Experience Platform Version >= 2024.Q2.1 <= 2024.Q2.13

Liferay ≫ Digital Experience Platform Version >= 2024.Q3.0 <= 2024.Q3.13

Liferay ≫ Digital Experience Platform Version >= 2024.Q4.0 < 2024.Q4.6

Liferay ≫ Digital Experience Platform Version >= 2025.Q1.1 < 2025.Q1.4

Liferay ≫ Digital Experience Platform Version7.4

Liferay ≫ Liferay Portal Version >= 7.4.0 <= 7.4.3.132

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.143

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security@liferay.com	4.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43825

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-43825

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-43825

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-43825

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-43825