CVE-2025-43825 — Liferay Portal exposes sensitive user data through its Freemarker template

描述

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially expose, confidential information that should remain restricted.

如何修補 CVE-2025-43825

要修補 CVE-2025-43825,請將受影響套件升級到下列已修補版本。

—升級至 7.0.60 或更新版本

CVE-2025-43825 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

>= 7.0.3, < 7.0.60

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43825
WEBgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/ff6c9fb24587a0c7bf3c48356a38b3f492670ea0
WEBliferay.atlassian.net/browse/LPE-18166