fkie_cve-2025-62258
Vulnerability from fkie_nvd
Published
2025-10-27 23:15
Modified
2025-11-10 21:39
Severity ?
Summary
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*",
"matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*",
"matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_2:*:*:*:*:*:*",
"matchCriteriaId": "135BED68-C2EC-4EE7-9138-91E0EE3608EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*",
"matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*",
"matchCriteriaId": "35F42314-AC3F-45B6-8BF8-49811E5F2FAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*",
"matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*",
"matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*",
"matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*",
"matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*",
"matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*",
"matchCriteriaId": "1F8A9DEC-2C27-4EBB-B684-8EBDB374CFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*",
"matchCriteriaId": "C3E7B777-8026-4C8F-9353-B5504873E0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*",
"matchCriteriaId": "2207FEE5-2537-4C6E-AC9C-EC53DBF3C57E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*",
"matchCriteriaId": "087A2B43-07CE-4B3D-B879-449631DDA8D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*",
"matchCriteriaId": "019CED83-6277-434C-839C-6C4E0C45FB1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update2:*:*:*:*:*:*",
"matchCriteriaId": "0ABA624F-C90B-4EAF-91E3-FCEA6997D889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:*",
"matchCriteriaId": "6C533124-74E6-4312-9AF7-6496DE2A5152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update21:*:*:*:*:*:*",
"matchCriteriaId": "8DDA248D-5F00-4FC1-B857-A7942BAA1F3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update22:*:*:*:*:*:*",
"matchCriteriaId": "6C6BA174-69D4-43FC-9395-1B6306A44CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update23:*:*:*:*:*:*",
"matchCriteriaId": "A465C229-D3FB-43E9-87BE-119BEE9110F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update24:*:*:*:*:*:*",
"matchCriteriaId": "32E98546-CE96-4BB8-A11C-F7E850C155F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*",
"matchCriteriaId": "DD43C626-F2F2-43BA-85AA-6ADAE8A6D11F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*",
"matchCriteriaId": "5C72C0E0-7D0B-4E8F-A109-7BB5DCA1C8D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*",
"matchCriteriaId": "7E796B04-FF54-4C02-979C-87E137A76F63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*",
"matchCriteriaId": "07C3D771-5E1B-46C4-AAF8-F425377582D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*",
"matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update3:*:*:*:*:*:*",
"matchCriteriaId": "88483D15-5860-42D7-BBF4-7EAE22C885DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*",
"matchCriteriaId": "E915FBC2-9BF7-4A99-B201-1F176D743494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*",
"matchCriteriaId": "E44E02C2-6F83-4525-BF9D-E82CE9A9880E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*",
"matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*",
"matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*",
"matchCriteriaId": "02D4C998-77F5-4428-A7B9-F7D909E23E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update35:*:*:*:*:*:*",
"matchCriteriaId": "C6984AC8-461D-488F-A911-7BF1D12B44A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*",
"matchCriteriaId": "AD408C73-7D78-4EB1-AA2C-F4A6D4DC980B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*",
"matchCriteriaId": "513F3229-7C31-44EB-88F6-E564BE725853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*",
"matchCriteriaId": "76B9CD05-A10E-439C-9FDE-EA88EC3AF2C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*",
"matchCriteriaId": "A7D2D415-36AA-41B2-8FD9-21A98CDFE1EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*",
"matchCriteriaId": "124F2D2E-F8E7-4EDE-A98B-DD72FB43DF20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*",
"matchCriteriaId": "0DEE5985-289E-4138-B7C0-1E471BA7A1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D23EB185-798C-4F89-8AAA-6D229BCD8BA4",
"versionEndExcluding": "7.4.3.108",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter."
}
],
"id": "CVE-2025-62258",
"lastModified": "2025-11-10T21:39:01.403",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@liferay.com",
"type": "Secondary"
}
]
},
"published": "2025-10-27T23:15:38.520",
"references": [
{
"source": "security@liferay.com",
"tags": [
"Vendor Advisory"
],
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62258"
}
],
"sourceIdentifier": "security@liferay.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@liferay.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…