Moderate severityNVD Advisory· Published Aug 22, 2025· Updated Aug 26, 2025
CVE-2025-43759
CVE-2025-43759
Description
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.layout.implMaven | < 6.0.147 | 6.0.147 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
2e8cbc7c27e5eLPD-49304 Check the portlet could be added to this page
1 file changed · +18 −3
modules/apps/layout/layout-impl/src/main/java/com/liferay/layout/internal/struts/UpdateLayoutStrutsAction.java+18 −3 modified@@ -404,12 +404,27 @@ private void _checkPortletPermission( themeDisplay.getPermissionChecker(), portletId, ActionKeys.ADD_TO_PAGE); - PortletCategory portletCategory = (PortletCategory)WebAppPool.get( - themeDisplay.getCompanyId(), WebKeys.PORTLET_CATEGORY); - Portlet portlet = _portletLocalService.getPortletById( themeDisplay.getCompanyId(), portletId); + LayoutTypePortlet layoutTypePortlet = + themeDisplay.getLayoutTypePortlet(); + + if (!portlet.isActive() || !portlet.isInclude() || + (!portlet.isInstanceable() && + layoutTypePortlet.hasPortletId(portlet.getPortletId())) || + portlet.isSystem() || portlet.isUndeployedPortlet()) { + + throw new PrincipalException.MustHavePermission( + themeDisplay.getPermissionChecker(), + StringBundler.concat( + Portlet.class.getName(), StringPool.UNDERLINE, portletId), + 0, ActionKeys.ADD_TO_PAGE); + } + + PortletCategory portletCategory = (PortletCategory)WebAppPool.get( + themeDisplay.getCompanyId(), WebKeys.PORTLET_CATEGORY); + Set<String> categoryNames = portlet.getCategoryNames(); for (PortletCategory curPortletCategory :
2e29e6733bc0LPD-49304 Check the portlet add to page permission and the portlet category visibility
1 file changed · +42 −0
modules/apps/layout/layout-impl/src/main/java/com/liferay/layout/internal/struts/UpdateLayoutStrutsAction.java+42 −0 modified@@ -20,14 +20,18 @@ import com.liferay.portal.kernel.model.LayoutRevision; import com.liferay.portal.kernel.model.LayoutTypePortlet; import com.liferay.portal.kernel.model.Portlet; +import com.liferay.portal.kernel.model.PortletCategory; import com.liferay.portal.kernel.portlet.PortletPreferencesFactoryUtil; import com.liferay.portal.kernel.portlet.render.PortletRenderParts; import com.liferay.portal.kernel.portlet.render.PortletRenderUtil; +import com.liferay.portal.kernel.security.auth.PrincipalException; +import com.liferay.portal.kernel.security.permission.ActionKeys; import com.liferay.portal.kernel.service.LayoutRevisionLocalService; import com.liferay.portal.kernel.service.LayoutService; import com.liferay.portal.kernel.service.PortletLocalService; import com.liferay.portal.kernel.service.ServiceContext; import com.liferay.portal.kernel.service.ServiceContextFactory; +import com.liferay.portal.kernel.service.permission.PortletPermissionUtil; import com.liferay.portal.kernel.servlet.BufferCacheServletResponse; import com.liferay.portal.kernel.servlet.DynamicServletRequest; import com.liferay.portal.kernel.servlet.ServletResponseUtil; @@ -49,6 +53,9 @@ import com.liferay.portal.struts.Action; import com.liferay.portal.util.LayoutClone; import com.liferay.portal.util.LayoutCloneFactory; +import com.liferay.portal.util.WebAppPool; + +import java.util.Set; import javax.portlet.PortletPreferences; @@ -96,6 +103,8 @@ public String execute( throw new IllegalArgumentException("Portlet ID is null"); } + _checkPortletPermission(portletId, themeDisplay); + String columnId = ParamUtil.getString( httpServletRequest, "p_p_col_id", null); int columnPos = ParamUtil.getInteger( @@ -387,6 +396,39 @@ protected void storeAddContentPortletPreferences( portletPreferences.store(); } + private void _checkPortletPermission( + String portletId, ThemeDisplay themeDisplay) + throws Exception { + + PortletPermissionUtil.check( + themeDisplay.getPermissionChecker(), portletId, + ActionKeys.ADD_TO_PAGE); + + PortletCategory portletCategory = (PortletCategory)WebAppPool.get( + themeDisplay.getCompanyId(), WebKeys.PORTLET_CATEGORY); + + Portlet portlet = _portletLocalService.getPortletById( + themeDisplay.getCompanyId(), portletId); + + Set<String> categoryNames = portlet.getCategoryNames(); + + for (PortletCategory curPortletCategory : + portletCategory.getCategories()) { + + if (!curPortletCategory.isHidden() && + categoryNames.contains(curPortletCategory.getName())) { + + return; + } + } + + throw new PrincipalException.MustHavePermission( + themeDisplay.getPermissionChecker(), + StringBundler.concat( + Portlet.class.getName(), StringPool.UNDERLINE, portletId), + 0, ActionKeys.ADD_TO_PAGE); + } + @Reference private LayoutRevisionLocalService _layoutRevisionLocalService;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-w3cr-3xw2-rp78ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43759ghsaADVISORY
- github.com/liferay/liferay-portal/commit/2e29e6733bc0e058bef89d16faac542bf2585346ghsaWEB
- github.com/liferay/liferay-portal/commit/e8cbc7c27e5ed51c4079dd62738713f31afb46f7ghsaWEB
- liferay.atlassian.net/browse/LPE-18185ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43759ghsaWEB
News mentions
0No linked articles in our index yet.