CVE-2025-43766 — Liferay Portal allows unrestricted upload of file in the style books component

描述

The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers.

如何修補 CVE-2025-43766

要修補 CVE-2025-43766,請將受影響套件升級到下列已修補版本。

Maven/com.liferay:com.liferay.style.book.web—升級至 2.0.117 或更新版本

CVE-2025-43766 正在被利用嗎?

低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 2.0.117

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43766
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/d4a5b8fc9f88468168603ff8a1f9b81fa5b7c43e
WEBliferay.atlassian.net/browse/LPE-18145