CVE-2025-43827

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.117 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.10 Liferay DXP versions 2024.Q1.1 through 2024.Q1.5 Liferay Portal 7.4 GA through update 92 Older unsupported versions

Description An issue exists in Liferay Portal and DXP that allows remotely authenticated users to access audit events from a different virtual instance. This occurs due to an Insecure Direct Object Reference (IDOR) condition. The issue is related to the com liferay portal security audit web portlet AuditPortlet auditEventId parameter.

Recommendations Update Liferay Portal to a version after 7.4.3.117. Update Liferay DXP to a version after 2024.Q1.5. Update Liferay DXP to a version after 2023.Q4.10. Update Liferay DXP to a version after 2023.Q3.10. Update Liferay Portal to a version after update 92.