PT-2025-35865 · Liferay · Liferay Portal +2

Published

2025-09-04

Updated

2025-09-04

CVE-2025-43772

Report an issue

CVSS v4.0

7.1

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions:

Kaleo Forms Admin in Liferay Portal versions 7.0.0 through 7.4.3.4

Kaleo Forms Admin in Liferay DXP versions 7.3 GA through update 27

Kaleo Forms Admin in Liferay DXP version 7.4 GA

Older unsupported versions

Description:

The application does not restrict the saving of request parameters in the portlet session. This allows remote attackers to consume system memory, potentially leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Recommendations:

Versions prior to 7.4.3.4 are affected.

Versions prior to Liferay DXP update 27 are affected.

Versions prior to Liferay DXP 7.4 GA are affected.

Versions prior to Liferay DXP 7.3 GA are affected.

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2025-43772

Affected Products

Kaleo Forms Admin

Liferay Dxp

Liferay Portal

PT-2025-35865 · Liferay · Liferay Portal +2

Weakness Enumeration

Related Identifiers

Affected Products

References · 4