Primary

Context

Liferay Portal and Liferay DXP Sensitive Information Disclosure Vulnerability via JSONWS APIs

Vulnerability

Patched

A vulnerability exists in Liferay Portal versions 7.4.0 through 7.4.3.131, and in Liferay DXP versions 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92. This vulnerability allows authenticated users without any permissions to access sensitive information belonging to admin users through JSONWS APIs.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive admin user information.

Remediation

Users can upgrade to Liferay Portal 7.4.3.132 or Liferay DXP versions 2025.Q1.0 or 2024.Q1.16 to address this vulnerability.

Added: Aug 23, 2025, 3:17 AM

Updated: Aug 23, 2025, 3:17 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and Liferay DXP Sensitive Information Disclosure Vulnerability via JSONWS APIs

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating