CVE-2025-3526 – com.liferay.portal:com.liferay.portal.kernel

Package

Manager: maven
Name: com.liferay.portal:com.liferay.portal.kernel
Vulnerable Version: >=0 <38.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00409 pctl0.60487

Details

Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Metadata

Created: 2025-06-16T15:32:28Z
Modified: 2025-06-16T17:00:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mf3r-6m25-3867/GHSA-mf3r-6m25-3867.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-mf3r-6m25-3867
Finding: F002
Auto approve: 1