Moderate severityNVD Advisory· Published Sep 12, 2025· Updated Sep 24, 2025
CVE-2025-43788
CVE-2025-43788
Description
The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.organizations.item.selector.webMaven | >= 4.0.2, < 4.0.22 | 4.0.22 |
Affected products
2- Liferay/DXPv5Range: 7.4.13-u81
Patches
1730b0840530eLPD-24824 copy implementation from admin organizations portlet
2 files changed · +34 −4
modules/apps/organizations/organizations-item-selector-web/src/main/java/com/liferay/organizations/item/selector/web/internal/display/context/OrganizationItemSelectorViewDisplayContext.java+32 −3 modified@@ -14,11 +14,18 @@ import com.liferay.portal.kernel.model.Organization; import com.liferay.portal.kernel.model.OrganizationConstants; import com.liferay.portal.kernel.security.auth.CompanyThreadLocal; +import com.liferay.portal.kernel.security.permission.ActionKeys; +import com.liferay.portal.kernel.security.permission.PermissionChecker; import com.liferay.portal.kernel.service.OrganizationLocalService; +import com.liferay.portal.kernel.theme.ThemeDisplay; import com.liferay.portal.kernel.util.JavaConstants; import com.liferay.portal.kernel.util.ParamUtil; +import com.liferay.portal.kernel.util.Portal; +import com.liferay.portal.kernel.util.WebKeys; import com.liferay.portlet.usersadmin.util.UsersAdminUtil; +import java.util.LinkedHashMap; + import javax.portlet.PortletURL; import javax.portlet.RenderRequest; import javax.portlet.RenderResponse; @@ -33,10 +40,12 @@ public class OrganizationItemSelectorViewDisplayContext { public OrganizationItemSelectorViewDisplayContext( OrganizationItemSelectorCriterion organizationItemSelectorCriterion, OrganizationLocalService organizationLocalService, - HttpServletRequest httpServletRequest, PortletURL portletURL) { + HttpServletRequest httpServletRequest, Portal portal, + PortletURL portletURL) { _organizationItemSelectorCriterion = organizationItemSelectorCriterion; _organizationLocalService = organizationLocalService; + _portal = portal; _portletURL = portletURL; _renderRequest = (RenderRequest)httpServletRequest.getAttribute( @@ -74,17 +83,36 @@ public SearchContainer<Organization> getSearchContainer() OrganizationSearchTerms organizationSearchTerms = (OrganizationSearchTerms)_searchContainer.getSearchTerms(); + ThemeDisplay themeDisplay = (ThemeDisplay)_renderRequest.getAttribute( + WebKeys.THEME_DISPLAY); + + PermissionChecker permissionChecker = + themeDisplay.getPermissionChecker(); + + LinkedHashMap<String, Object> params = new LinkedHashMap<>(); + + if (!permissionChecker.hasPermission( + null, Organization.class.getName(), + Organization.class.getName(), ActionKeys.VIEW)) { + + params.put( + "organizationsTree", + _organizationLocalService.getUserOrganizations( + _portal.getUserId(_renderRequest), true)); + } + _searchContainer.setResultsAndTotal( () -> _organizationLocalService.search( CompanyThreadLocal.getCompanyId(), OrganizationConstants.ANY_PARENT_ORGANIZATION_ID, - organizationSearchTerms.getKeywords(), null, null, null, null, + organizationSearchTerms.getKeywords(), null, null, null, params, _searchContainer.getStart(), _searchContainer.getEnd(), _searchContainer.getOrderByComparator()), _organizationLocalService.searchCount( CompanyThreadLocal.getCompanyId(), OrganizationConstants.ANY_PARENT_ORGANIZATION_ID, - organizationSearchTerms.getKeywords(), null, null, null, null)); + organizationSearchTerms.getKeywords(), null, null, null, + params)); _searchContainer.setRowChecker( new OrganizationItemSelectorChecker( @@ -98,6 +126,7 @@ public SearchContainer<Organization> getSearchContainer() private final OrganizationItemSelectorCriterion _organizationItemSelectorCriterion; private final OrganizationLocalService _organizationLocalService; + private final Portal _portal; private final PortletURL _portletURL; private final RenderRequest _renderRequest; private final RenderResponse _renderResponse;
modules/apps/organizations/organizations-item-selector-web/src/main/java/com/liferay/organizations/item/selector/web/internal/OrganizationItemSelectorView.java+2 −1 modified@@ -70,7 +70,8 @@ public void renderHTML( organizationItemSelectorViewDisplayContext = new OrganizationItemSelectorViewDisplayContext( organizationItemSelectorCriterion, - _organizationLocalService, httpServletRequest, portletURL); + _organizationLocalService, httpServletRequest, _portal, + portletURL); _itemSelectorViewDescriptorRenderer.renderHTML( httpServletRequest, servletResponse,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.