Description

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed.

Remediation

References

CVE-2025-43789

Related Vulnerabilities

WordPress Plugin WP ULike Cross-Site Scripting (3.1)

Atlassian Confluence Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2928)

WordPress Plugin WP Easy full backup Information Disclosure (1.4)

WebLogic Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2021-29425)

Next.js Uncontrolled Resource Consumption Vulnerability (CVE-2025-59471)

Severity

Medium

Classification

CVE-2025-43789 CWE-863 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities