CVE-2025-62257

CWE-3074 documents4 sources
Severity
6.3MEDIUM
EPSS
0.0%
top 96.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay Liferay PortalLiferay DXPLiferay Portal+1 more
Timeline
PublishedOct 30

Description

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

NVDliferay/liferay_portal7.4.07.4.3.120
Mavencom.liferay.portal:release.portal.bom7.4.0-ga17.4.3.120
CVEListV5liferay/portal7.4.07.4.3.119
CVEListV5liferay/dxp7.4.137.4.13-u92+3

🔴Vulnerability Details

3
OSV
Liferay Portal vulnerable to password enumeration2025-10-30
GHSA
Liferay Portal vulnerable to password enumeration2025-10-30
CVEList
CVE-2025-62257: Password enumeration vulnerability in Liferay Portal 72025-10-29
CVE-2025-62257 (MEDIUM CVSS 6.3) | Password enumeration vulnerability | cvebase.io