Home > Vulnerability Database > CVE-2025-43786

Mend.io Vulnerability Database

CVE-2025-43786

Good to know:

Date: September 9, 2025

Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response.

Severity Score

5.3

Related Resources (8)

Url: https://github.com/liferay/liferay-portal/commit/8f9728086bd61661437b0aa8493c83510914a474

Url: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43786

Url: https://github.com/liferay/liferay-portal

Url: https://github.com/liferay/liferay-portal/commit/e4a140d6d92e92911f08fe33051b677742531f19

Url: https://github.com/liferay/liferay-portal/commit/e34499eab2ce1d544835835afe6733a78b4ab532

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-43786

Url: https://liferay.atlassian.net/browse/LPE-18106

Url: https://www.mend.io/vulnerability-database/CVE-2025-43786

Severity Score

5.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Observable Timing Discrepancy

CWE-208

Top Fix

Upgrade Version

Upgrade to version com.liferay:com.liferay.portal.vulcan.impl:5.0.127;com.liferay:com.liferay.headless.admin.workflow.impl:5.0.83;com.liferay:com.liferay.portal.workflow.api:11.0.1

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-43786

Good to know:

Date: September 9, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?