Description

Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to view contact information, including the contact’s name and email address, via the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter.

Remediation

References

CVE-2025-43803

Related Vulnerabilities

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-6472)

MySQL Use of Externally-Controlled Format String Vulnerability (CVE-2006-3469)

WordPress Plugin WP GuestMap Multiple Cross-Site Scripting Vulnerabilities (1.8)

Apache HTTP Server Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-59775)

Oracle JRE CVE-2022-21282 Vulnerability (CVE-2022-21282)

Severity

Medium

Classification

CVE-2025-43803 CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities