CVE-2025-43784: 
Java vulnerability analysis and mitigation

Improper Access Control vulnerability discovered in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP versions including 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92. The vulnerability was disclosed on September 10, 2025, and allows guest users to obtain object entries information via the API Builder (Liferay Advisory).

The vulnerability has been assigned a CVSS 4.0 score of 6.2 with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N. The issue stems from improper access control mechanisms in the API Builder component, which fails to properly restrict access to object entries information for guest users (Liferay Advisory).

The vulnerability allows unauthorized guest users to access object entries information through the API Builder, potentially exposing sensitive data. The CVSS scoring indicates high potential impact on system confidentiality and integrity, though there are no direct impacts on availability (Liferay Advisory).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.125, Liferay DXP 2024.Q1.13, Liferay DXP 2024.Q2.9, Liferay DXP 2024.Q3.0, and Liferay DXP 2024.Q4.0. Users are advised to upgrade to these versions to mitigate the vulnerability (Liferay Advisory).