CVE-2025-62259 — Incorrect Authorization in Portal

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 82.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedOct 27

Latest updateOct 28

Description

Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal< 7.4.3.110

▶CVEListV5liferay/portal7.4.0 — 7.4.3.109

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+2

▶NVDliferay/digital_experience_platform7.0+8

🔴Vulnerability Details

OSV

Liferay Portal Does Not Limit Access to APIs Before Email Verification↗2025-10-28

▶

GHSA

Liferay Portal Does Not Limit Access to APIs Before Email Verification↗2025-10-28

▶

CVEList

CVE-2025-62259: Liferay Portal 7↗2025-10-27

▶