CVE-2025-62275
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-10
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 2023.q3.1 |
| liferay | digital_experience_platform | 2023.q3.2 |
| liferay | digital_experience_platform | 2023.q3.3 |
| liferay | digital_experience_platform | 2023.q3.4 |
| liferay | digital_experience_platform | 2023.q3.5 |
| liferay | digital_experience_platform | 2023.q3.6 |
| liferay | digital_experience_platform | 2023.q3.7 |
| liferay | digital_experience_platform | 2023.q3.8 |
| liferay | digital_experience_platform | 2023.q3.9 |
| liferay | digital_experience_platform | 2023.q3.10 |
| liferay | digital_experience_platform | 2023.q4.0 |
| liferay | digital_experience_platform | 2023.q4.1 |
| liferay | digital_experience_platform | 2023.q4.2 |
| liferay | digital_experience_platform | 2023.q4.3 |
| liferay | digital_experience_platform | 2023.q4.4 |
| liferay | digital_experience_platform | 2023.q4.5 |
| liferay | digital_experience_platform | 2023.q4.6 |
| liferay | digital_experience_platform | 2023.q4.7 |
| liferay | digital_experience_platform | 2023.q4.8 |
| liferay | digital_experience_platform | 2023.q4.9 |
| liferay | digital_experience_platform | 2023.q4.10 |
| liferay | liferay_portal | From 7.4.0 (inc) to 7.4.3.112 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62275 is a security vulnerability in the Blogs component of Liferay Portal and Liferay DXP. The system fails to check permissions for images embedded in blog entries, allowing remote attackers to view these images without any authentication by using a specially crafted URL. [1]
How can this vulnerability impact me? :
This vulnerability allows unauthorized remote attackers to access and view images embedded in blog entries without any privileges or user interaction. This could lead to unintended disclosure of potentially sensitive or private images hosted within the blog entries. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if images embedded in blog entries are accessible without proper permission checks. You can attempt to access image URLs from blog entries without authentication to see if they are viewable. For example, using curl or wget commands to request image URLs from the Liferay Portal or DXP Blogs component and observing if access is granted without login. Specific commands might include: curl -I http://<liferay-host>/blogs/image/<image-id> or wget --spider http://<liferay-host>/blogs/image/<image-id>. If these commands return HTTP 200 OK without authentication, the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade affected Liferay Portal and Liferay DXP installations to fixed versions: Liferay Portal version 7.4.3.112 or later, and Liferay DXP 2024.Q1.1 or later. Until the upgrade can be applied, restrict access to the Blogs images URLs by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthorized access to blog images. Additionally, review and tighten permissions on blog content and images where possible. [1]