Description

Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 does not perform an authorization check when users attempt to view a display page template, which allows remote attackers to view display page templates via crafted URLs.

Remediation

References

CVE-2025-43805

Related Vulnerabilities

WordPress Plugin Social Login WP Cross-Site Request Forgery (5.0.0.0)

SugarCRM Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-17307)

Django Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-0220)

Ruby on Rails Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2009-4214)

Oracle Database Server CVE-2020-2516 Vulnerability (CVE-2020-2516)

Severity

Medium

Classification

CVE-2025-43805 CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities