Skip to content

Commit 37013c8

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-43xf-59vr-g4f2 GHSA-4p5r-3jmm-652q GHSA-jfv5-r382-xvwh
1 parent 0298ab3 commit 37013c8

File tree

3 files changed

+94
-15
lines changed

3 files changed

+94
-15
lines changed

advisories/unreviewed/2025/09/GHSA-43xf-59vr-g4f2/GHSA-43xf-59vr-g4f2.json renamed to advisories/github-reviewed/2025/09/GHSA-43xf-59vr-g4f2/GHSA-43xf-59vr-g4f2.json

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,49 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-43xf-59vr-g4f2",
4-
"modified": "2025-09-15T21:30:56Z",
4+
"modified": "2025-09-16T00:00:14Z",
55
"published": "2025-09-15T21:30:56Z",
66
"aliases": [
77
"CVE-2025-43799"
88
],
9+
"summary": "Liferay Portal Uses Default Password",
910
"details": "Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V4",
13-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "com.liferay.portal:release.portal.bom"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "7.4.0"
29+
},
30+
{
31+
"fixed": "7.4.3.112"
32+
}
33+
]
34+
}
35+
]
1436
}
1537
],
16-
"affected": [],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43799"
2142
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/liferay/liferay-portal"
46+
},
2247
{
2348
"type": "WEB",
2449
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43799"
@@ -29,8 +54,8 @@
2954
"CWE-1393"
3055
],
3156
"severity": "MODERATE",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2025-09-16T00:00:14Z",
3459
"nvd_published_at": "2025-09-15T21:15:35Z"
3560
}
3661
}

advisories/unreviewed/2025/09/GHSA-4p5r-3jmm-652q/GHSA-4p5r-3jmm-652q.json renamed to advisories/github-reviewed/2025/09/GHSA-4p5r-3jmm-652q/GHSA-4p5r-3jmm-652q.json

Lines changed: 34 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,53 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-4p5r-3jmm-652q",
4-
"modified": "2025-09-15T21:30:56Z",
4+
"modified": "2025-09-15T23:59:59Z",
55
"published": "2025-09-15T21:30:56Z",
66
"aliases": [
77
"CVE-2025-43798"
88
],
9+
"summary": "Liferay DXP Missing Critical Step in Authentication",
910
"details": "Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V4",
13-
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "com.liferay:com.liferay.multi.factor.authentication.timebased.otp.web"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.0.25"
32+
}
33+
]
34+
}
35+
]
1436
}
1537
],
16-
"affected": [],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43798"
2142
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/liferay/liferay-portal/commit/1df25e46675afe7c3a2754bf8968bcb9677db950"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/liferay/liferay-portal"
50+
},
2251
{
2352
"type": "WEB",
2453
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43798"
@@ -29,8 +58,8 @@
2958
"CWE-304"
3059
],
3160
"severity": "LOW",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2025-09-15T23:59:59Z",
3463
"nvd_published_at": "2025-09-15T21:15:35Z"
3564
}
3665
}

advisories/unreviewed/2025/09/GHSA-jfv5-r382-xvwh/GHSA-jfv5-r382-xvwh.json renamed to advisories/github-reviewed/2025/09/GHSA-jfv5-r382-xvwh/GHSA-jfv5-r382-xvwh.json

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,49 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-jfv5-r382-xvwh",
4-
"modified": "2025-09-15T21:30:55Z",
4+
"modified": "2025-09-15T23:59:36Z",
55
"published": "2025-09-15T21:30:55Z",
66
"aliases": [
77
"CVE-2025-43800"
88
],
9+
"summary": "Liferay Portal Cross-site Scripting (XSS) vulnerability",
910
"details": "Cross-site scripting (XSS) vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an object with a rich text type field.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V4",
13-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "com.liferay:com.liferay.dynamic.data.mapping.form.field.type"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "6.0.167"
32+
}
33+
]
34+
}
35+
]
1436
}
1537
],
16-
"affected": [],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43800"
2142
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/liferay/liferay-portal"
46+
},
2247
{
2348
"type": "WEB",
2449
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43800"
@@ -29,8 +54,8 @@
2954
"CWE-79"
3055
],
3156
"severity": "MODERATE",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2025-09-15T23:59:36Z",
3459
"nvd_published_at": "2025-09-15T19:15:35Z"
3560
}
3661
}

0 commit comments

Comments
 (0)