Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN633
_____________________________________________________________________

DATE                : 23/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Liferay Portal versions prior
                                 to 7.4.3.113-ga113,
      Liferay DXP versions prior to 2024.Q2.0, 2024.Q1.1, 2023.Q4.8.

=====================================================================
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-43806
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2025-43814
_____________________________________________________________________

	CVE-2025-43806 Unauthorized access to exported data from
batch engine


Description

Batch Engine in Liferay Portal and Liferay DXP does not properly
check permission with import and export tasks, which allows remote
authenticated users to access the exported data via the REST APIs.


Severity

5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)


Affected Version(s)

    Liferay Portal 7.4.0 through 7.4.3.112
    Liferay DXP 2023.Q4.0 through 2023.Q4.7
    Liferay DXP 2023.Q3.1 through 2023.Q3.10
    Liferay DXP 7.4


Fixed Version(s)

    Liferay Portal 7.4.3.113
    Liferay DXP 2024.Q2.0
    Liferay DXP 2024.Q1.1
    Liferay DXP 2023.Q4.8

Publication date: Mon, 22 Sep 2025 09:36:00 +0000

Security advisories for Liferay's enterprise offerings
(e.g., Liferay DXP) are only listed here since 2023.
Historial advisories are availabe in the Help Center.

_____________________________________________________________________

	CVE-2025-43814 Password reminder answers recorded in audit
events


Description

In Liferay Portal and Liferay DXP the audit events records a user’s
password reminder answer, which allows remote authenticated users
to obtain a user’s password reminder answer via the audit events.


Severity

6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)


Affected Version(s)

    Liferay Portal 7.2.0 through 7.4.3.112
    Liferay DXP 2023.Q4.0 through 2023.Q4.8
    Liferay DXP 2023.Q3.1 through 2023.Q3.10
    Liferay DXP 7.4


Fixed Version(s)

    Liferay Portal 7.4.3.113
    Liferay DXP 2024.Q2.0
    Liferay DXP 2024.Q1.1
    Liferay DXP 2023.Q4.9

Publication date: Mon, 22 Sep 2025 10:57:00 +0000

Security advisories for Liferay's enterprise offerings
(e.g., Liferay DXP) are only listed here since 2023.
Historial advisories are availabe in the Help Center.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================