Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API.

Affected Packages

Maven com.liferay.portal:release.portal.bom

Affected versions: 7.4.0 (fixed in 7.4.3.112)

Related CVEs

CVE-2025-43799

Key Information

GHSA ID

GHSA-43xf-59vr-g4f2

Published

September 15, 2025 9:30 PM

Last Modified

September 16, 2025 12:00 AM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

com.liferay.portal:release.portal.bom

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.