Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 1b46cc82624e · 2025-12-17T00:01:19.000Z
GHSA-hrqm-qpw9-w8rv GHSA-pw86-qvx9-34r7 GHSA-rpx3-f938-xj5q
diff --git a/advisories/github-reviewed/2025/09/GHSA-hrqm-qpw9-w8rv/GHSA-hrqm-qpw9-w8rv.json b/advisories/github-reviewed/2025/09/GHSA-hrqm-qpw9-w8rv/GHSA-hrqm-qpw9-w8rv.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hrqm-qpw9-w8rv",
-  "modified": "2025-09-26T13:04:13Z",
+  "modified": "2025-12-16T23:59:47Z",
   "published": "2025-09-25T21:30:25Z",
   "aliases": [
     "CVE-2025-43816"
@@ -11,7 +11,7 @@
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
diff --git a/advisories/github-reviewed/2025/09/GHSA-pw86-qvx9-34r7/GHSA-pw86-qvx9-34r7.json b/advisories/github-reviewed/2025/09/GHSA-pw86-qvx9-34r7/GHSA-pw86-qvx9-34r7.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pw86-qvx9-34r7",
-  "modified": "2025-10-01T15:56:54Z",
+  "modified": "2025-12-17T00:00:18Z",
   "published": "2025-09-30T21:31:16Z",
   "aliases": [
     "CVE-2025-43827"
   ],
   "summary": "Liferay Portal Vulnerable to IDOR via audit events",
-  "details": "Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter.",
+  "details": "Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the `_com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId` parameter.",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2025/09/GHSA-rpx3-f938-xj5q/GHSA-rpx3-f938-xj5q.json b/advisories/github-reviewed/2025/09/GHSA-rpx3-f938-xj5q/GHSA-rpx3-f938-xj5q.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rpx3-f938-xj5q",
-  "modified": "2025-09-27T03:25:21Z",
+  "modified": "2025-12-16T23:59:11Z",
   "published": "2025-09-24T03:30:26Z",
   "aliases": [
     "CVE-2025-43819"
   ],
   "summary": "Liferay Portal and DXP does not properly expire sessions",
-  "details": "### Summary\n\nLiferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context.\n\n### Affected Versions\n\nThe following platform versions are affected:\n\n*   **Liferay Portal:**  `7.3.3.131` through `7.4.3.121`\n*   **Liferay DXP:**\n    *   `2024.Q4.0`–`2024.Q4.3`\n    *   `2024.Q3.1`–`2024.Q3.13`\n    *   `2024.Q2.0`–`2024.Q2.13`\n    *   `2024.Q1.1`–`2024.Q1.12`\n\n### Remediation\n\nUpdate to the fixed builds and, for Maven consumers of the SAML module, upgrade `com.liferay:com.liferay.saml.impl` to **5.0.51** or later. After upgrading, ensure session invalidation policies are enforced and verify SLO behavior end-to-end.",
+  "details": "### Summary\n\nLiferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context.\n\n### Affected Versions\n\nThe following platform versions are affected:\n\n*   **Liferay Portal:**  \n    *   `7.3.3.131` through `7.4.3.121`\n*   **Liferay DXP:**\n    *   `2024.Q4.0`–`2024.Q4.3`\n    *   `2024.Q3.1`–`2024.Q3.13`\n    *   `2024.Q2.0`–`2024.Q2.13`\n    *   `2024.Q1.1`–`2024.Q1.12`\n\n### Remediation\n\nUpdate to the fixed builds and, for Maven consumers of the SAML module, upgrade `com.liferay:com.liferay.saml.impl` to **5.0.51** or later. After upgrading, ensure session invalidation policies are enforced and verify SLO behavior end-to-end.",
   "severity": [
     {
       "type": "CVSS_V4",

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-hrqm-qpw9-w8rv",`
`4`		`- "modified": "2025-09-26T13:04:13Z",`
	`4`	`+ "modified": "2025-12-16T23:59:47Z",`
`5`	`5`	`"published": "2025-09-25T21:30:25Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-43816"`
`@@ -11,7 +11,7 @@`
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V4",`
`14`		`- "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"`
	`14`	`+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"`
`15`	`15`	`}`
`16`	`16`	`],`
`17`	`17`	`"affected": [`