CVE-2025-4604 – com.liferay:com.liferay.captcha.impl

Package

Manager: maven
Name: com.liferay:com.liferay.captcha.impl
Vulnerable Version: >=0 <4.0.17

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

EPSS: 0.0006 pctl0.19021

Details

Liferay Portal CAPTCHA Bypass for Gogo Shell The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell

Metadata

Created: 2025-08-05T00:30:26Z
Modified: 2025-08-05T17:16:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-3j6h-5v68-hvqg/GHSA-3j6h-5v68-hvqg.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-3j6h-5v68-hvqg
Finding: F425
Auto approve: 1