CVE-2025-43759

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

L

iferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants.

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43759	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.4:::::::*
	cpe:2.3:a:liferay:digital_experience_platform:2025.q1.0:::::::*
	cpe:2.3:a:liferay:liferay_portal::::::::

History

16 Dec 2025, 15:03

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 2.7
First Time		Liferay digital Experience Platform Liferay Liferay liferay Portal
CPE		cpe:2.3:a:liferay:liferay_portal:::::::: cpe:2.3:a:liferay:digital_experience_platform:2025.q1.0:::::::* cpe:2.3:a:liferay:digital_experience_platform:::::::: cpe:2.3:a:liferay:digital_experience_platform:7.4:::::::*
References	~~() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43759 -~~	() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43759 - Vendor Advisory

25 Aug 2025, 20:24

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-22 19:15

Updated : 2025-12-16 15:03

NVD link : CVE-2025-43759

Mitre link : CVE-2025-43759

CVE.ORG link : CVE-2025-43759

JSON object : View

Products Affected

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2025-43759", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-22T19:15:38.633", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43759", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants."}, {"lang": "es", "value": "Liferay Portal 7.4.0 a 7.4.3.132, y Liferay DXP 2025.Q1.0, 2024.Q4.0 a 2024.Q4.7, 2024.Q3.0 a 2024.Q3.13, 2024.Q2.0 a 2024.Q2.13, 2024.Q1.1 a 2024.Q1.14 y 7.4 GA hasta la actualizaci\u00f3n 92 permiten a los usuarios administradores de una instancia virtual agregar p\u00e1ginas que no est\u00e1n en la instancia virtual predeterminada/principal; luego, cualquier inquilino puede crear una lista de todos los dem\u00e1s inquilinos."}], "lastModified": "2025-12-16T15:03:43.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C651A57-5FB9-4725-BD5B-7AB981B56003", "versionEndExcluding": "2024.Q1.15", "versionStartIncluding": "2024.Q1.1"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EB4ABE4-0B4D-471C-A868-0CA6F5EE7A47", "versionEndIncluding": "2024.q2.13", "versionStartIncluding": "2024.q2.0"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81DE8039-B5BF-4747-A426-DCA1FFC8D960", "versionEndIncluding": "2024.q3.13", "versionStartIncluding": "2024.q3.1"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB83F0DC-CD4C-4C2F-AEB5-98ABB73428A1", "versionEndIncluding": "2024.q4.7", "versionStartIncluding": "2024.q4.0"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2025.q1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5E7D4E9-76B1-4E84-8EE7-B38ECCB0B92D"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FA15ADB-E7D6-4F24-9A06-F281746CBF06", "versionEndIncluding": "7.4.3.132", "versionStartIncluding": "7.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}