CVE-2025-3586 — Incorrect Authorization in Portal

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 38.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedSep 1

Latest updateDec 12

Description

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts (i.e., remote code execution) through Object actions. In co…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.3.27 — 7.4.3.43

▶CVEListV5liferay/portal7.4.3.27 — 7.4.3.42

▶CVEListV5liferay/dxp7.4.13-u27 — 7.4.13-u42+3

▶NVDliferay/digital_experience_platform2023.Q3.1 — 2023.Q3.10+3

🔴Vulnerability Details

GHSA

Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations↗2025-12-12

▶

OSV

Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations↗2025-12-12

▶

CVEList

CVE-2025-3586: In Liferay Portal 7↗2025-09-01

▶