Our news and updates

In Liferay Portal versions 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions a medium severity vulnerability CVE-2025-43809 was detected. This vulnerability allows remote attackers to register a server license via the ‘orderUuid’ parameter. To fix this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.8, or 2023.Q3.9. For more information, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43809.

In Mattermost versions 9.11.x ≤ 9.11.17, 10.5.x ≤ 10.5.8, 10.8.x ≤ 10.8.3, 10.9.x ≤ 10.9.3, and 10.10.x ≤ 10.10.1 a critical severity vulnerability CVE-2025-9079 was detected. This vulnerability allows admin users to execute arbitrary code by uploading a malicious plugin to the prepackaged plugins directory due to improper validation of the import directory path configuration. To fix this issue, users should upgrade Mattermost to version 9.11.18, 10.5.9, 10.8.4, 10.9.4, 10.10.2, or 10.11.0. For more information, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9079.

In Liferay Portal versions 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 a medium severity vulnerability CVE-2025-43808 was detected. The Commerce component saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL. To fix this issue, users should upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, 2024.Q1.1, or 2023.Q4.7. For more information, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43808.

In Liferay Portal 7.4.0 through 7.4.3.119 and Liferay DXP 2023.Q3–Q4 versions a medium severity vulnerability CVE-2025-43803 was found. It allows attackers to see contact names and email addresses through the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter. To fix this, upgrade to Liferay Portal 7.4.3.120 or Liferay DXP 2024.Q2.0, 2024.Q1.1, or 2023.Q4.7. For details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43803.

In Mattermost versions 10.5.x ≤ 10.5.8 and 9.11.x ≤ 9.11.17 a low severity vulnerability CVE-2025-9081 was detected. This vulnerability allows any authenticated user to download sensitive files via the board file download endpoint using UUID enumeration due to improper access control validation. To fix this problem, users should upgrade to Mattermost version 10.5.9 or 9.11.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9081.

In Jenkins versions 2.527 and earlier, and LTS 2.516.2 and earlier a medium severity vulnerability CVE-2025-59476 was detected. This vulnerability allows attackers to forge log entries by injecting line break characters into user-controlled log message content, potentially misleading administrators reviewing logs. To address this issue users must upgrade to Jenkins weekly 2.528 and to Jenkins LTS 2.516.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59476.

In Liferay Portal versions 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35 a medium severity vulnerability CVE-2025-43802 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the externalReferenceCode parameter in a custom object’s /o/c/<object-name> API endpoint. To fix this problem, users should upgrade to version 7.4.3.110, 2024.Q1.1, 2023.Q4.1, 2023.Q3.5, or 7.3 Update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43802.

In Liferay Portal versions 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35 a medium severity vulnerability CVE-2025-43801 was detected. This vulnerability allows remote attackers to perform denial-of-service (DoS) attacks through a crafted XML-RPC request. To fix this problem, users should upgrade to version 7.4.3.112, 2024.Q1.1, 2023.Q4.0, 2023.Q3.5, or 7.3 U36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43801.

In Liferay Portal versions 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43800 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML by exploiting a crafted payload in an object with a rich text type field. To fix this problem, users should upgrade to version 7.4.3.112, 2024.Q1.1, 2023.Q4.1, or 2023.Q3.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43800.