-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability, identified as CVE-2025-43788, is a missing authorization check in the organization selector functionality of Liferay Portal. Authenticated users could access a complete list of organizations without having the explicit permissions to do so.
The analysis of the provided patch commit 730b0840530e2fbd98d482c9f1a1f0f8391a2369 reveals the exact location of the flaw.
The core of the vulnerability is within the getSearchContainer method of the OrganizationItemSelectorViewDisplayContext class. Before the fix, this method performed a search for organizations (_organizationLocalService.search) without considering the user's permissions. The search was based solely on search terms provided by the user.
The patch rectifies this by introducing a permission check. It retrieves the current user's PermissionChecker and verifies if the user has the VIEW action permission on the Organization class. If the user does not have this permission, the search is programmatically restricted to only the organizations the user is a member of by calling _organizationLocalService.getUserOrganizations and passing the result as a parameter to the main search call. This ensures that unauthorized users can no longer enumerate all organizations in the system.
The renderHTML method in OrganizationItemSelectorView is also identified as a relevant function. While not directly performing the vulnerable action, it is the entry point that constructs the OrganizationItemSelectorViewDisplayContext object. Triggering this rendering method is a prerequisite for executing the vulnerable search logic, making it a key indicator in a runtime profile during exploitation.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay:com.liferay.organizations.item.selector.web | maven | >= 4.0.2, < 4.0.22 | 4.0.22 |