Fluid Attacks Database

Description

Liferay Portal is vulnerable to CSRF through publication comments Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay:com.liferay.change.tracking.web	>=2.0.9 <2.0.121	2.0.121

Aliases

1. CVE-2025-622452. NVD-2025-622453. OSV-2025-622454. GCVE-2025-62245

References

1. https://github.com/liferay/liferay-portal/commit/dd89fff675f04d146fda38a1bec884cf40d0c7562. https://github.com/liferay/liferay-portal/commit/fa356d07ab239e790b7e460d33c25184aef587163. https://liferay.atlassian.net/browse/LPE-179324. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62245

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.