CVE-2025-43813 Possible path traversal and DoS with Combo Servlet

Description

Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal and Liferay DXP allows remote attackers to access arbitrary CSS and JSS files and load the files multiple times via the query string in a URL.

Severity

6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N)

Affected Version(s)

  • Liferay Portal 7.4.0 through 7.4.3.107
  • LIferay Portal 7.3.0 through 7.3.7
  • Liferay DXP 2023.Q4.0 through 2023.Q4.4
  • Liferay DXP 2023.Q3.1 through 2023.Q3.8
  • Liferay DXP 7.4 GA through update 92
  • Liferay DXP 7.3 GA through update 35
  • Older, unsupported versions are also affected

Fixed Version(s)

Acknowledgments

This issue was reported by Sébastien Sauty

Publication date: Thu, 24 Oct 2024 17:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.