CVE-2025-43786
EUVD-2025-2758409.09.2025, 20:15
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| liferay | digital_experience_platform | 2024.Q1.1 ≤ 𝑥 < 2024.Q1.13 |
| liferay | digital_experience_platform | 2024.q2.0 ≤ 𝑥 ≤ 2024.q2.13 |
| liferay | digital_experience_platform | 2024.Q3.0 ≤ 𝑥 < 2024.Q3.2 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4:update1 |
| liferay | digital_experience_platform | 7.4:update10 |
| liferay | digital_experience_platform | 7.4:update11 |
| liferay | digital_experience_platform | 7.4:update12 |
| liferay | digital_experience_platform | 7.4:update13 |
| liferay | digital_experience_platform | 7.4:update14 |
| liferay | digital_experience_platform | 7.4:update15 |
| liferay | digital_experience_platform | 7.4:update16 |
| liferay | digital_experience_platform | 7.4:update17 |
| liferay | digital_experience_platform | 7.4:update18 |
| liferay | digital_experience_platform | 7.4:update19 |
| liferay | digital_experience_platform | 7.4:update2 |
| liferay | digital_experience_platform | 7.4:update20 |
| liferay | digital_experience_platform | 7.4:update21 |
| liferay | digital_experience_platform | 7.4:update22 |
| liferay | digital_experience_platform | 7.4:update23 |
| liferay | digital_experience_platform | 7.4:update24 |
| liferay | digital_experience_platform | 7.4:update25 |
| liferay | digital_experience_platform | 7.4:update26 |
| liferay | digital_experience_platform | 7.4:update27 |
| liferay | digital_experience_platform | 7.4:update28 |
| liferay | digital_experience_platform | 7.4:update29 |
| liferay | digital_experience_platform | 7.4:update3 |
| liferay | digital_experience_platform | 7.4:update30 |
| liferay | digital_experience_platform | 7.4:update31 |
| liferay | digital_experience_platform | 7.4:update32 |
| liferay | digital_experience_platform | 7.4:update33 |
| liferay | digital_experience_platform | 7.4:update34 |
| liferay | digital_experience_platform | 7.4:update35 |
| liferay | digital_experience_platform | 7.4:update36 |
| liferay | digital_experience_platform | 7.4:update37 |
| liferay | digital_experience_platform | 7.4:update38 |
| liferay | digital_experience_platform | 7.4:update39 |
| liferay | digital_experience_platform | 7.4:update4 |
| liferay | digital_experience_platform | 7.4:update40 |
| liferay | digital_experience_platform | 7.4:update41 |
| liferay | digital_experience_platform | 7.4:update42 |
| liferay | digital_experience_platform | 7.4:update43 |
| liferay | digital_experience_platform | 7.4:update44 |
| liferay | digital_experience_platform | 7.4:update45 |
| liferay | digital_experience_platform | 7.4:update46 |
| liferay | digital_experience_platform | 7.4:update47 |
| liferay | digital_experience_platform | 7.4:update48 |
| liferay | digital_experience_platform | 7.4:update49 |
| liferay | digital_experience_platform | 7.4:update5 |
| liferay | digital_experience_platform | 7.4:update50 |
| liferay | digital_experience_platform | 7.4:update51 |
| liferay | digital_experience_platform | 7.4:update52 |
| liferay | digital_experience_platform | 7.4:update53 |
| liferay | digital_experience_platform | 7.4:update54 |
| liferay | digital_experience_platform | 7.4:update55 |
| liferay | digital_experience_platform | 7.4:update56 |
| liferay | digital_experience_platform | 7.4:update57 |
| liferay | digital_experience_platform | 7.4:update58 |
| liferay | digital_experience_platform | 7.4:update59 |
| liferay | digital_experience_platform | 7.4:update6 |
| liferay | digital_experience_platform | 7.4:update60 |
| liferay | digital_experience_platform | 7.4:update61 |
| liferay | digital_experience_platform | 7.4:update62 |
| liferay | digital_experience_platform | 7.4:update63 |
| liferay | digital_experience_platform | 7.4:update64 |
| liferay | digital_experience_platform | 7.4:update65 |
| liferay | digital_experience_platform | 7.4:update66 |
| liferay | digital_experience_platform | 7.4:update67 |
| liferay | digital_experience_platform | 7.4:update68 |
| liferay | digital_experience_platform | 7.4:update69 |
| liferay | digital_experience_platform | 7.4:update7 |
| liferay | digital_experience_platform | 7.4:update70 |
| liferay | digital_experience_platform | 7.4:update71 |
| liferay | digital_experience_platform | 7.4:update72 |
| liferay | digital_experience_platform | 7.4:update73 |
| liferay | digital_experience_platform | 7.4:update74 |
| liferay | digital_experience_platform | 7.4:update75 |
| liferay | digital_experience_platform | 7.4:update76 |
| liferay | digital_experience_platform | 7.4:update77 |
| liferay | digital_experience_platform | 7.4:update78 |
| liferay | digital_experience_platform | 7.4:update79 |
| liferay | digital_experience_platform | 7.4:update8 |
| liferay | digital_experience_platform | 7.4:update80 |
| liferay | digital_experience_platform | 7.4:update81 |
| liferay | digital_experience_platform | 7.4:update82 |
| liferay | digital_experience_platform | 7.4:update83 |
| liferay | digital_experience_platform | 7.4:update84 |
| liferay | digital_experience_platform | 7.4:update85 |
| liferay | digital_experience_platform | 7.4:update86 |
| liferay | digital_experience_platform | 7.4:update87 |
| liferay | digital_experience_platform | 7.4:update88 |
| liferay | digital_experience_platform | 7.4:update89 |
| liferay | digital_experience_platform | 7.4:update9 |
| liferay | digital_experience_platform | 7.4:update90 |
| liferay | digital_experience_platform | 7.4:update91 |
| liferay | digital_experience_platform | 7.4:update92 |
| liferay | liferay_portal | 7.4.0 ≤ 𝑥 < 7.4.3.129 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- CWE-203 - Observable DiscrepancyThe product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.