CVE-2025-62258 — Cross-Site Request Forgery in Portal

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 93.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedOct 27

Latest updateOct 28

Description

CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.108

▶CVEListV5liferay/portal7.4.0 — 7.4.3.107

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+2

▶NVDliferay/digital_experience_platform6 versions+5

🔴Vulnerability Details

GHSA

Liferay Portal Vulnerable to CSRF in Headless APIs↗2025-10-28

▶

OSV

Liferay Portal Vulnerable to CSRF in Headless APIs↗2025-10-28

▶

CVEList

CVE-2025-62258: CSRF vulnerability in Headless API in Liferay Portal 7↗2025-10-27

▶