Moderate severityNVD Advisory· Published Aug 23, 2025· Updated Aug 25, 2025
CVE-2025-43766
CVE-2025-43766
Description
The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.style.book.webMaven | < 2.0.117 | 2.0.117 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
1d4a5b8fc9f88LPD-42742 validate style book thumbnail file extension
4 files changed · +85 −38
modules/apps/style-book/style-book-web/src/main/java/com/liferay/style/book/web/internal/portlet/action/UpdateStyleBookEntryPreviewMVCActionCommand.java+69 −38 modified@@ -6,20 +6,27 @@ package com.liferay.style.book.web.internal.portlet.action; import com.liferay.document.library.kernel.service.DLAppLocalService; +import com.liferay.petra.string.StringBundler; import com.liferay.portal.kernel.model.Repository; +import com.liferay.portal.kernel.portlet.LiferayPortletRequest; import com.liferay.portal.kernel.portlet.bridges.mvc.BaseMVCActionCommand; import com.liferay.portal.kernel.portlet.bridges.mvc.MVCActionCommand; import com.liferay.portal.kernel.portletfilerepository.PortletFileRepositoryUtil; import com.liferay.portal.kernel.repository.model.FileEntry; import com.liferay.portal.kernel.service.ServiceContext; +import com.liferay.portal.kernel.servlet.SessionErrors; import com.liferay.portal.kernel.theme.ThemeDisplay; import com.liferay.portal.kernel.util.ParamUtil; +import com.liferay.portal.kernel.util.Portal; import com.liferay.portal.kernel.util.TempFileEntryUtil; import com.liferay.portal.kernel.util.WebKeys; import com.liferay.style.book.constants.StyleBookPortletKeys; import com.liferay.style.book.model.StyleBookEntry; import com.liferay.style.book.service.StyleBookEntryService; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + import javax.portlet.ActionRequest; import javax.portlet.ActionResponse; @@ -44,65 +51,89 @@ protected void doProcessAction( ActionRequest actionRequest, ActionResponse actionResponse) throws Exception { - ThemeDisplay themeDisplay = (ThemeDisplay)actionRequest.getAttribute( - WebKeys.THEME_DISPLAY); - - long styleBookEntryId = ParamUtil.getLong( - actionRequest, "styleBookEntryId"); - long fileEntryId = ParamUtil.getLong(actionRequest, "fileEntryId"); FileEntry fileEntry = _dlAppLocalService.getFileEntry(fileEntryId); FileEntry tempFileEntry = fileEntry; - Repository repository = - PortletFileRepositoryUtil.fetchPortletRepository( - themeDisplay.getScopeGroupId(), - StyleBookPortletKeys.STYLE_BOOK); + String extension = fileEntry.getExtension(); - if (repository == null) { - ServiceContext serviceContext = new ServiceContext(); + Matcher matcher = _pattern.matcher(extension); - serviceContext.setAddGroupPermissions(true); - serviceContext.setAddGuestPermissions(true); + String mimeType = fileEntry.getMimeType(); - repository = PortletFileRepositoryUtil.addPortletRepository( - themeDisplay.getScopeGroupId(), StyleBookPortletKeys.STYLE_BOOK, - serviceContext); - } - - String fileName = - styleBookEntryId + "_preview." + fileEntry.getExtension(); + if (!matcher.find() || !mimeType.startsWith("image/")) { + LiferayPortletRequest liferayPortletRequest = + _portal.getLiferayPortletRequest(actionRequest); - FileEntry oldFileEntry = - PortletFileRepositoryUtil.fetchPortletFileEntry( - themeDisplay.getScopeGroupId(), repository.getDlFolderId(), - fileName); + hideDefaultErrorMessage(liferayPortletRequest); - if (oldFileEntry != null) { - PortletFileRepositoryUtil.deletePortletFileEntry( - oldFileEntry.getFileEntryId()); + SessionErrors.add( + liferayPortletRequest, + "styleBookEntryPreviewFileExtensionInvalid"); + } + else { + long styleBookEntryId = ParamUtil.getLong( + actionRequest, "styleBookEntryId"); + + ThemeDisplay themeDisplay = + (ThemeDisplay)actionRequest.getAttribute(WebKeys.THEME_DISPLAY); + + Repository repository = + PortletFileRepositoryUtil.fetchPortletRepository( + themeDisplay.getScopeGroupId(), + StyleBookPortletKeys.STYLE_BOOK); + + if (repository == null) { + ServiceContext serviceContext = new ServiceContext(); + + serviceContext.setAddGroupPermissions(true); + serviceContext.setAddGuestPermissions(true); + + repository = PortletFileRepositoryUtil.addPortletRepository( + themeDisplay.getScopeGroupId(), + StyleBookPortletKeys.STYLE_BOOK, serviceContext); + } + + String fileName = StringBundler.concat( + styleBookEntryId, "_preview.", extension); + + FileEntry oldFileEntry = + PortletFileRepositoryUtil.fetchPortletFileEntry( + themeDisplay.getScopeGroupId(), repository.getDlFolderId(), + fileName); + + if (oldFileEntry != null) { + PortletFileRepositoryUtil.deletePortletFileEntry( + oldFileEntry.getFileEntryId()); + } + + fileEntry = PortletFileRepositoryUtil.addPortletFileEntry( + null, themeDisplay.getScopeGroupId(), themeDisplay.getUserId(), + StyleBookEntry.class.getName(), styleBookEntryId, + StyleBookPortletKeys.STYLE_BOOK, repository.getDlFolderId(), + fileEntry.getContentStream(), fileName, fileEntry.getMimeType(), + false); + + _styleBookEntryService.updatePreviewFileEntryId( + styleBookEntryId, fileEntry.getFileEntryId()); } - - fileEntry = PortletFileRepositoryUtil.addPortletFileEntry( - null, themeDisplay.getScopeGroupId(), themeDisplay.getUserId(), - StyleBookEntry.class.getName(), styleBookEntryId, - StyleBookPortletKeys.STYLE_BOOK, repository.getDlFolderId(), - fileEntry.getContentStream(), fileName, fileEntry.getMimeType(), - false); - - _styleBookEntryService.updatePreviewFileEntryId( - styleBookEntryId, fileEntry.getFileEntryId()); TempFileEntryUtil.deleteTempFileEntry(tempFileEntry.getFileEntryId()); sendRedirect(actionRequest, actionResponse); } + private static final Pattern _pattern = Pattern.compile( + "(bmp|jpeg|jpg|png|tiff)$"); + @Reference private DLAppLocalService _dlAppLocalService; + @Reference + private Portal _portal; + @Reference private StyleBookEntryService _styleBookEntryService;
modules/apps/style-book/style-book-web/src/main/java/com/liferay/style/book/web/internal/servlet/taglib/util/StyleBookEntryActionDropdownItemsProvider.java+2 −0 modified@@ -245,6 +245,8 @@ private String _getItemSelectorURL() { UploadItemSelectorCriterion.builder( ).desiredItemSelectorReturnTypes( new FileEntryItemSelectorReturnType() + ).extensions( + new String[] {".bmp", ".jpeg", ".jpg", ".png", ".tiff"} ).maxFileSize( UploadServletRequestConfigurationProviderUtil.getMaxSize() ).portletId(
modules/apps/style-book/style-book-web/src/main/resources/META-INF/resources/init.jsp+1 −0 modified@@ -22,6 +22,7 @@ page import="com.liferay.petra.string.StringUtil" %><%@ page import="com.liferay.portal.kernel.language.LanguageUtil" %><%@ page import="com.liferay.portal.kernel.portlet.LiferayWindowState" %><%@ page import="com.liferay.portal.kernel.portlet.url.builder.PortletURLBuilder" %><%@ +page import="com.liferay.portal.kernel.servlet.SessionErrors" %><%@ page import="com.liferay.portal.kernel.servlet.SessionMessages" %><%@ page import="com.liferay.portal.kernel.util.HashMapBuilder" %><%@ page import="com.liferay.portal.kernel.util.ListUtil" %><%@
modules/apps/style-book/style-book-web/src/main/resources/META-INF/resources/view.jsp+13 −0 modified@@ -7,6 +7,19 @@ <%@ include file="/init.jsp" %> +<c:if test='<%= SessionErrors.contains(liferayPortletRequest, "styleBookEntryPreviewFileExtensionInvalid") %>'> + <aui:script> + Liferay.Util.openToast({ + message: '<liferay-ui:message key="file-type-is-invalid" />', + title: Liferay.Language.get('error'), + toastProps: { + autoClose: 5000, + }, + type: 'danger', + }); + </aui:script> +</c:if> + <% StyleBookDisplayContext styleBookDisplayContext = new StyleBookDisplayContext(request, liferayPortletRequest, liferayPortletResponse); %>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mf9q-87xx-jgvvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43766ghsaADVISORY
- github.com/liferay/liferay-portal/commit/d4a5b8fc9f88468168603ff8a1f9b81fa5b7c43eghsaWEB
- liferay.atlassian.net/browse/LPE-18145ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43766ghsaWEB
News mentions
0No linked articles in our index yet.