4.6

CVE-2025-43825

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLiferay
Product Portal
Default Statusunaffected
Version <= 7.4.3.132
Version 7.4.0
Status affected
VendorLiferay
Product DXP
Default Statusunaffected
Version <= 2023.Q3.10
Version 2023.Q3.1
Status affected
Version <= 2024.Q4.10
Version 2023.Q4.0
Status affected
Version <= 2024.Q1.12
Version 2024.Q1.1
Status affected
Version <= 2024.Q2.13
Version 2024.Q2.1
Status affected
Version <= 2024.Q3.13
Version 2024.Q3.0
Status affected
Version <= 2024.Q4.5
Version 2024.Q4.0
Status affected
Version <= 2025.Q1.4
Version 2025.Q1.0
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.04% 0.111
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
security@liferay.com 4.6 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.