CVE-2025-43732
LOWDescription
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | digital_experience_platform |
| liferay | liferay_portal |
References
Frequently Asked Questions
What is CVE-2025-43732? +
How severe is CVE-2025-43732? +
What products are affected by CVE-2025-43732? +
How do I check if I'm vulnerable to CVE-2025-43732? +
Related Vulnerabilities
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` …
A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring …
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in …
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in …
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because …
Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application