CVE-2025-4581
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-12-16
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2024.q1.1 (inc) to 2024.q1.15 (inc) |
| liferay | digital_experience_platform | From 2024.q2.0 (inc) to 2024.q2.13 (inc) |
| liferay | digital_experience_platform | From 2024.q3.1 (inc) to 2024.q3.13 (inc) |
| liferay | digital_experience_platform | From 2024.q4.0 (inc) to 2024.q4.7 (inc) |
| liferay | digital_experience_platform | From 2025.q1.0 (inc) to 2025.q1.4 (inc) |
| liferay | digital_experience_platform | 7.4 |
| liferay | liferay_portal | From 7.4.0 (inc) to 7.4.3.132 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a pre-authentication blind Server-Side Request Forgery (SSRF) in Liferay Portal and Liferay DXP versions specified. It occurs due to improper validation of user-supplied URLs in the portal-settings-authentication-opensso-web component. An attacker can exploit this to make the server send arbitrary HTTP requests to internal systems without authentication, potentially allowing internal network enumeration or further attacks.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to make the affected server send arbitrary HTTP requests to internal systems. This can lead to internal network enumeration, exposing internal infrastructure details, and potentially enable further exploitation of internal services that are not directly accessible from outside the network.