VYPR
← All advisories
Low severityNVD Advisory· Published Sep 12, 2025· Updated Sep 12, 2025

CVE-2025-43789

CVE-2025-43789

Description

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.comment.webMaven
>= 6.0.2, < 6.1.46.1.4

Affected products

2

Patches

4
e91daba3736e

LPD-4056 Rename to match @AopService and @AccessControlled

https://github.com/liferay/liferay-portalBrian ChanApr 27, 2024via ghsa
commit
1 file changed · +7 7
  • modules/apps/portal-remote/portal-remote-json-web-service-web-test/src/testIntegration/java/com/liferay/portal/remote/json/web/service/web/service/test/JSONWebServiceAccessControlTest.java+7 7 modified
    @@ -47,7 +47,7 @@ public void testAccessControlled() throws InvalidSyntaxException {
 		BundleContext bundleContext = bundle.getBundleContext();
 
 		for (ServiceReference<?> serviceReference :
-				_getJSONWebServiceReferences(bundleContext)) {
+				_getServiceReferences(bundleContext)) {
 
 			Class<?> clazz = _getTargetClass(
 				bundleContext.getService(serviceReference));
@@ -56,19 +56,19 @@ public void testAccessControlled() throws InvalidSyntaxException {
 				continue;
 			}
 
-			Assert.assertTrue(_isAccessControlled(clazz));
+			Assert.assertTrue(_hasAccessControlled(clazz));
 		}
 	}
 
 	@Test
-	public void testAopEnabled() throws InvalidSyntaxException {
+	public void testAopService() throws InvalidSyntaxException {
 		Bundle bundle = FrameworkUtil.getBundle(
 			JSONWebServiceAccessControlTest.class);
 
 		BundleContext bundleContext = bundle.getBundleContext();
 
 		for (ServiceReference<?> serviceReference :
-				_getJSONWebServiceReferences(bundleContext)) {
+				_getServiceReferences(bundleContext)) {
 
 			Object service = bundleContext.getService(serviceReference);
 
@@ -80,13 +80,13 @@ public void testAopEnabled() throws InvalidSyntaxException {
 		}
 	}
 
-	private ServiceReference<?>[] _getJSONWebServiceReferences(
+	private ServiceReference<?>[] _getServiceReferences(
 			BundleContext bundleContext)
 		throws InvalidSyntaxException {
 
 		return bundleContext.getServiceReferences(
 			(String)null,
-			"(&(json.web.service.context.path=*)(component.name=*))");
+			"(&(component.name=*)(json.web.service.context.path=*))");
 	}
 
 	private Class<?> _getTargetClass(Object service) {
@@ -120,7 +120,7 @@ else if (invocationHandler instanceof ClassLoaderBeanHandler) {
 		return service.getClass();
 	}
 
-	private boolean _isAccessControlled(Class<?> clazz) {
+	private boolean _hasAccessControlled(Class<?> clazz) {
 		while (clazz != null) {
 			if (clazz.isAnnotationPresent(AccessControlled.class)) {
 				return true;
576039619a12

LPD-4056 An interface is required to be able to proxy

https://github.com/liferay/liferay-portalIstvan SajtosJan 18, 2024via ghsa
commit
2 files changed · +60 1
  • modules/apps/comment/comment-web/src/main/java/com/liferay/comment/web/internal/jsonws/CommentManagerJSONWSImpl.java+11 1 modified
    @@ -43,8 +43,10 @@
 	service = CommentManagerJSONWS.class
 )
 @JSONWebService
-public class CommentManagerJSONWSImpl extends BaseServiceImpl {
+public class CommentManagerJSONWSImpl extends BaseServiceImpl
+	implements CommentManagerJSONWS{
 
+	@Override
 	public long addComment(
 			long groupId, String className, long classPK, String body)
 		throws PortalException {
@@ -59,13 +61,15 @@ public long addComment(
 			_createServiceContextFunction(companyId));
 	}
 
+	@Override
 	public void deleteComment(long commentId) throws PortalException {
 		_discussionPermission.checkDeletePermission(
 			getPermissionChecker(), commentId);
 
 		_commentManager.deleteComment(commentId);
 	}
 
+	@Override
 	public List<CommentJSONWS> getComments(long commentId, int start, int end)
 		throws PortalException {
 
@@ -81,6 +85,7 @@ public List<CommentJSONWS> getComments(long commentId, int start, int end)
 		return getComments(discussionComment, start, end);
 	}
 
+	@Override
 	public List<CommentJSONWS> getComments(
 			long groupId, String className, long classPK, int start, int end)
 		throws PortalException {
@@ -96,6 +101,7 @@ public List<CommentJSONWS> getComments(
 		return getComments(discussion.getRootDiscussionComment(), start, end);
 	}
 
+	@Override
 	public int getCommentsCount(long groupId, String className, long classPK)
 		throws PortalException {
 
@@ -106,6 +112,7 @@ public int getCommentsCount(long groupId, String className, long classPK)
 		return _commentManager.getCommentsCount(className, classPK);
 	}
 
+	@Override
 	public boolean hasDiscussion(long groupId, String className, long classPK)
 		throws PortalException {
 
@@ -116,6 +123,7 @@ public boolean hasDiscussion(long groupId, String className, long classPK)
 		return _commentManager.hasDiscussion(className, classPK);
 	}
 
+	@Override
 	public void subscribeDiscussion(
 			long groupId, String className, long classPK)
 		throws PortalException {
@@ -128,6 +136,7 @@ public void subscribeDiscussion(
 			getUserId(), groupId, className, classPK);
 	}
 
+	@Override
 	public void unsubscribeDiscussion(
 			long groupId, String className, long classPK)
 		throws PortalException {
@@ -139,6 +148,7 @@ public void unsubscribeDiscussion(
 		_commentManager.unsubscribeDiscussion(getUserId(), className, classPK);
 	}
 
+	@Override
 	public long updateComment(
 			String className, long classPK, long commentId, String subject,
 			String body)
  • modules/apps/comment/comment-web/src/main/java/com/liferay/comment/web/internal/jsonws/CommentManagerJSONWS.java+49 0 added
    @@ -0,0 +1,49 @@
+/**
+ * SPDX-FileCopyrightText: (c) 2000 Liferay, Inc. https://liferay.com
+ * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06
+ */
+
+package com.liferay.comment.web.internal.jsonws;
+
+import com.liferay.portal.kernel.exception.PortalException;
+
+import java.util.List;
+
+/**
+ * @author Istvan Sajtos
+ */
+public interface CommentManagerJSONWS {
+
+	public long addComment(
+			long groupId, String className, long classPK, String body)
+		throws PortalException;
+
+	public void deleteComment(long commentId) throws PortalException;
+
+	public List<CommentJSONWS> getComments(long commentId, int start, int end)
+		throws PortalException;
+
+	public List<CommentJSONWS> getComments(
+			long groupId, String className, long classPK, int start, int end)
+		throws PortalException;
+
+	public int getCommentsCount(long groupId, String className, long classPK)
+		throws PortalException;
+
+	public boolean hasDiscussion(long groupId, String className, long classPK)
+		throws PortalException;
+
+	public void subscribeDiscussion(
+			long groupId, String className, long classPK)
+		throws PortalException;
+
+	public void unsubscribeDiscussion(
+			long groupId, String className, long classPK)
+		throws PortalException;
+
+	public long updateComment(
+			String className, long classPK, long commentId, String subject,
+			String body)
+		throws PortalException;
+
+}
\ No newline at end of file
cb349be99939

LPD-4056 Rename to reflect our naming convention

https://github.com/liferay/liferay-portalIstvan SajtosJan 18, 2024via ghsa
commit
1 file changed · +1 1
  • modules/apps/comment/comment-web/src/main/java/com/liferay/comment/web/internal/jsonws/CommentManagerJSONWSImpl.java+1 1 renamed
    @@ -43,7 +43,7 @@
 	service = CommentManagerJSONWS.class
 )
 @JSONWebService
-public class CommentManagerJSONWS extends BaseServiceImpl {
+public class CommentManagerJSONWSImpl extends BaseServiceImpl {
 
 	public long addComment(
 			long groupId, String className, long classPK, String body)
dfdd81d51808

LPD-4056 Ensure CommerceCountryManagerImpl is intercepted by advices

https://github.com/liferay/liferay-portalIstvan SajtosJan 11, 2024via ghsa
commit
1 file changed · +11 2
  • modules/apps/commerce/commerce-service/src/main/java/com/liferay/commerce/internal/country/CommerceCountryManagerImpl.java+11 2 modified
    @@ -13,7 +13,9 @@
 import com.liferay.petra.sql.dsl.query.FromStep;
 import com.liferay.petra.sql.dsl.query.GroupByStep;
 import com.liferay.petra.sql.dsl.query.JoinStep;
+import com.liferay.portal.aop.AopService;
 import com.liferay.portal.kernel.jsonwebservice.JSONWebService;
+import com.liferay.portal.kernel.jsonwebservice.JSONWebServiceMode;
 import com.liferay.portal.kernel.model.Country;
 import com.liferay.portal.kernel.model.CountryTable;
 import com.liferay.portal.kernel.service.ClassNameLocalService;
@@ -33,10 +35,17 @@
 		"json.web.service.context.name=commerce",
 		"json.web.service.context.path=CommerceCountryManager"
 	},
-	service = CommerceCountryManager.class
+	service = AopService.class
 )
 @JSONWebService
-public class CommerceCountryManagerImpl implements CommerceCountryManager {
+public class CommerceCountryManagerImpl
+	implements AopService, CommerceCountryManager {
+
+	@JSONWebService(mode = JSONWebServiceMode.IGNORE)
+	@Override
+	public Class<?>[] getAopInterfaces() {
+		return new Class<?>[] {CommerceCountryManager.class};
+	}
 
 	@Override
 	public List<Country> getBillingCountries(

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.