Publish Advisories

GHSA-5wxc-3jfw-w94p
GHSA-g8fh-pfw3-8rmr
GHSA-jhgr-j9cj-8j62
GHSA-v53g-736w-mgw4
GHSA-wr8m-5h2p-4432

Author: advisory-database[bot]

advisories/github-reviewed/2025/09/GHSA-5wxc-3jfw-w94p/GHSA-5wxc-3jfw-w94p.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5wxc-3jfw-w94p",
-  "modified": "2025-09-12T19:49:10Z",
+  "modified": "2025-12-20T02:57:24Z",
   "published": "2025-09-11T18:35:53Z",
   "aliases": [
     "CVE-2025-43790"
   ],
   "summary": "Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass",
-  "details": "Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance.",
+  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2025/09/GHSA-g8fh-pfw3-8rmr/GHSA-g8fh-pfw3-8rmr.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g8fh-pfw3-8rmr",
-  "modified": "2025-09-15T13:54:10Z",
+  "modified": "2025-12-20T02:59:08Z",
   "published": "2025-09-12T18:31:10Z",
   "aliases": [
     "CVE-2025-43787"
   ],
   "summary": "Liferay Portal's selection modal is vulnerable to XSS",
-  "details": "A Stored cross-site scripting vulnerability in the Liferay Portal  7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious payload is stored and executed without proper sanitization or escaping.",
+  "details": "A stored cross-site scripting vulnerability in the Liferay Portal  7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious payload is stored and executed without proper sanitization or escaping.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2025/09/GHSA-jhgr-j9cj-8j62/GHSA-jhgr-j9cj-8j62.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jhgr-j9cj-8j62",
-  "modified": "2025-09-12T21:09:38Z",
+  "modified": "2025-12-20T02:57:01Z",
   "published": "2025-09-10T21:30:19Z",
   "aliases": [
     "CVE-2025-43783"
   ],
   "summary": "Liferay Portal is vulnerable to Reflected XSS attack through get_editor path",
-  "details": "Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path.",
+  "details": "A reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2025/09/GHSA-v53g-736w-mgw4/GHSA-v53g-736w-mgw4.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v53g-736w-mgw4",
-  "modified": "2025-09-15T13:42:37Z",
+  "modified": "2025-12-20T02:58:30Z",
   "published": "2025-09-12T03:33:06Z",
   "aliases": [
     "CVE-2025-43788"
   ],
   "summary": "Liferay Portal's Organization Selector exposes organization data to remote authenticated users",
-  "details": "The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.",
+  "details": "The Organization Selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2025/09/GHSA-wr8m-5h2p-4432/GHSA-wr8m-5h2p-4432.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wr8m-5h2p-4432",
-  "modified": "2025-09-15T13:42:17Z",
+  "modified": "2025-12-20T02:57:55Z",
   "published": "2025-09-11T18:35:53Z",
   "aliases": [
     "CVE-2025-43782"
   ],
   "summary": "Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name",
-  "details": "Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API.",
+  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API.",
   "severity": [
     {
       "type": "CVSS_V4",