CVE-2025-43758

Published: Aug 22, 2025Modified: Dec 16, 2025

5.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security@liferay.com (Secondary)

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library

Affected (7)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	From 2024.Q1.1 to 2024.Q1.16
Liferay Digital Experience Platform	From 2024.q2.0 to 2024.q2.13
Liferay Digital Experience Platform	From 2024.q3.1 to 2024.q3.13
Liferay Digital Experience Platform	From 2024.q4.0 to 2024.q4.7
Liferay Digital Experience Platform	From 2025.Q1.0 to 2025.Q1.6
Liferay Digital Experience Platform	Version 7.4
Liferay Liferay Portal	From 7.4.0 to 7.4.3.132

Related CWEs

CWE-552

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (1)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43758

Source: security@liferay.com

Vendor Advisory

Timeline

No history available yet.