PT-2025-34518 · Liferay · Kaleo Designer Portlet+2
Published
2025-08-23
·
Updated
2025-08-23
·
CVE-2025-43764
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions:
Liferay Portal versions 7.4.0 through 7.4.3.131
Liferay DXP versions 2024.Q1.1 through 2024.Q1.20
Liferay DXP versions 2024.Q2.1 through 2024.Q2.13
Liferay DXP versions 2024.Q3.0 through 2024.Q3.13
Liferay DXP versions 2024.Q4.0 through 2024.Q4.1
Liferay Portal 7.4 GA through update 92
Description:
A Self-ReDoS (Regular expression Denial of Service) issue exists in the Role Name search field of the Kaleo Designer portlet JavaScript. This allows authenticated users with permissions to update Kaleo Workflows to submit a malicious Regex pattern, potentially causing a browser to hang.
Recommendations:
Liferay Portal versions 7.4.0 through 7.4.3.131: Update to a version later than 7.4.3.131.
Liferay DXP versions 2024.Q1.1 through 2024.Q1.20: Update to a version later than 2024.Q1.20.
Liferay DXP versions 2024.Q2.1 through 2024.Q2.13: Update to a version later than 2024.Q2.13.
Liferay DXP versions 2024.Q3.0 through 2024.Q3.13: Update to a version later than 2024.Q3.13.
Liferay DXP versions 2024.Q4.0 through 2024.Q4.1: Update to a version later than 2024.Q4.1.
Liferay Portal 7.4 GA through update 92: Update to a version later than update 92.
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kaleo Designer Portlet
Liferay Dxp
Liferay Portal