CVE-2025-4604 — Cross-site Scripting in DXP

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 92.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal Liferay Digital Experience Platform +1 more

Timeline

PublishedAug 4

Latest updateAug 5

Description

The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Affected Packages4 packages

▶CVEListV5liferay/portal7.4.0 — 7.4.3.132

▶NVDliferay/liferay_portal7.4.3.80 — 7.4.3.132

▶CVEListV5liferay/dxp7.4.13-u80 — 7.4.13-u92+5

▶NVDliferay/digital_experience_platform2024.q1.1 — 2024.q1.19+5

🔴Vulnerability Details

GHSA

Liferay Portal CAPTCHA Bypass for Gogo Shell↗2025-08-05

▶

OSV

Liferay Portal CAPTCHA Bypass for Gogo Shell↗2025-08-05

▶

CVEList

CVE-2025-4604: The vulnerable code can bypass the Captcha check in Liferay Portal 7↗2025-08-04

▶