CVE-2025-43745

A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter.

CVSS

No CVSS.

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43745

Configurations

No configuration.

History

20 Aug 2025, 14:40

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad CSRF en Liferay Portal 7.4.0 a 7.4.3.132, y Liferay DXP 2025.Q2.0 a 2025.Q2.7, 2025.Q1.0 a 2025.Q1.14, 2024.Q4.0 a 2024.Q4.7, 2024.Q3.1 a 2024.Q3.13, 2024.Q2.0 a 2024.Q2.13, 2024.Q1.1 a 2024.Q1.19 y 7.4 GA hasta la actualización 92 permite a atacantes remotos realizar solicitudes de origen cruzado en nombre del usuario autenticado a través del parámetro de endpoint.

19 Aug 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 19:15

Updated : 2025-08-20 14:40

NVD link : CVE-2025-43745

Mitre link : CVE-2025-43745

CVE.ORG link : CVE-2025-43745

JSON object : View

Products Affected

No product.

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2025-43745", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@liferay.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-19T19:15:35.490", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43745", "source": "security@liferay.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@liferay.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter."}, {"lang": "es", "value": "Una vulnerabilidad CSRF en Liferay Portal 7.4.0 a 7.4.3.132, y Liferay DXP 2025.Q2.0 a 2025.Q2.7, 2025.Q1.0 a 2025.Q1.14, 2024.Q4.0 a 2024.Q4.7, 2024.Q3.1 a 2024.Q3.13, 2024.Q2.0 a 2024.Q2.13, 2024.Q1.1 a 2024.Q1.19 y 7.4 GA hasta la actualizaci\u00f3n 92 permite a atacantes remotos realizar solicitudes de origen cruzado en nombre del usuario autenticado a trav\u00e9s del par\u00e1metro de endpoint."}], "lastModified": "2025-08-20T14:40:17.713", "sourceIdentifier": "security@liferay.com"}