CVE-2025-43773: CWE-862 Missing Authorization in Liferay Portal
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.1, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.18 has a security vulnerability that allowing for improper access through the expandoTableLocalService. This service, which provides powerful database operations, is exposed within the Notifications Templates without proper permission checks.
CVE-2025-43773: CWE-862 Missing Authorization in Liferay Portal
Description
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.1, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.18 has a security vulnerability that allowing for improper access through the expandoTableLocalService. This service, which provides powerful database operations, is exposed within the Notifications Templates without proper permission checks.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Liferay
- Date Reserved
- 2025-04-17T10:55:28.237Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68b1f959ad5a09ad007a4b5a
Added to database: 8/29/2025, 7:02:49 PM
Last updated: 8/29/2025, 7:02:49 PM
Views: 1
Related Threats
CVE-2025-9667: SQL Injection in code-projects Simple Grading System
MediumCVE-2025-9377: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in TP-Link Systems Inc. Archer C7(EU) V2
HighCVE-2025-9666: SQL Injection in code-projects Simple Grading System
MediumCVE-2025-9665: SQL Injection in code-projects Simple Grading System
MediumCVE-2025-52861: CWE-22 in QNAP Systems Inc. VioStor
HighActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.