CVE-2025-43736
EPSS 0.24%Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability
發布日:2025/8/12修改日:2025/8/12
描述
A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload a profile picture of more than 300kb into a user profile. This size is more than the noted max 300kb size. This extra data can significantly slow down the Liferay service.
受影響套件(6)
- Maven/com.liferay:com.liferay.account.admin.webfrom 0, < 2.0.138
- Maven/com.liferay:com.liferay.frontend.taglibfrom 0, < 13.10.0
- Maven/com.liferay:com.liferay.image.uploader.webfrom 0, < 5.0.56
- Maven/com.liferay:com.liferay.users.admin.webfrom 0, < 11.0.27
- Maven/com.liferay.portal:release.dxp.bom>= 2025.Q1.0, < 2025.Q1.9
- Maven/com.liferay.portal:release.portal.bom>= 7.4.3.0, <= 7.4.3.132
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/RE:L |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-43736
- PATCHhttps://github.com/liferay/liferay-portal
- WEBhttps://github.com/liferay/liferay-portal/commit/ab8932bee29df7df377c468f662d55e624d9390d
- WEBhttps://liferay.atlassian.net/browse/LPE-18220
- WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736