CVE-2025-43827
Description
Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter.
Risk Information
Base Score
4.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.046
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2025-43827 are fixed in Liferay - com.liferay.portal.security.audit.storage.service 6.0.41 | Windows |
| Vulnerabilities CVE-2025-43827 are fixed in Liferay - com.liferay.portal.security.audit.web 5.0.33 | Windows |
| Vulnerabilities CVE-2025-43827 are fixed in Liferay - com.liferay.portal.security.audit.storage.service for Linux 6.0.41 | Linux |
| Vulnerabilities CVE-2025-43827 are fixed in Liferay - com.liferay.portal.security.audit.web for Linux 5.0.33 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234