Insecure Direct Object Reference in Liferay Portal and DXP
CVE-2025-43790

7.4HIGH

Key Information:

Vendor

Liferay
Status
Portal
Dxp
Vendor
CVE Published:
11 September 2025

What is CVE-2025-43790?

An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal versions 7.4.0 to 7.4.3.124 and Liferay DXP versions 2024.Q2.0 to 2024.Q2.6 and 2024.Q1.1 to 2024.Q1.12 allows remote authenticated users to access and manipulate data from different virtual instances. This weakness can be exploited to edit, create, or relate entries across virtual instances, potentially leading to unauthorized access to sensitive information.

Affected Version(s)

DXP 7.4.13 <= 7.4.13-u92

DXP 2024.Q1.1 <= 2024.Q1.12

DXP 2024.Q2.0 <= 2023.Q2.6

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-43790 : Insecure Direct Object Reference in Liferay Portal and DXP