PT-2025-36527 · Liferay · Liferay Portal+1
Published
2025-09-08
·
Updated
2025-09-09
·
CVE-2025-43763
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Liferay Portal versions 7.4.0 through 7.4.3.131
Liferay DXP versions 2024.Q1.1 through 2024.Q1.20
Liferay DXP versions 2024.Q2.0 through 2024.Q2.13
Liferay DXP versions 2024.Q3.0 through 2024.Q3.13
Liferay DXP versions 2024.Q4.0 through 2024.Q4.7
Description:
A server-side request forgery (SSRF) vulnerability exists that affects custom object attachment fields. This flaw allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources.
Recommendations:
Liferay Portal versions 7.4.0 through 7.4.3.131 should be updated.
Liferay DXP versions 2024.Q1.1 through 2024.Q1.20 should be updated.
Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 should be updated.
Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 should be updated.
Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 should be updated.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal