Fluid Attacks Database

Description

Liferay Portal Stores Password Reset Tokens in Plain Text Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s account.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=7.4.0-ga1 <7.4.3.100	7.4.3.100
maven	com.liferay.portal:com.liferay.portal.impl	>=0 <92.0.2	92.0.2

Aliases

1. CVE-2025-622612. NVD-2025-622613. OSV-2025-622614. GCVE-2025-62261

References

1. https://github.com/liferay/liferay-portal/commit/b228c7878f2ed5ad8dbc1ff7ec9b5e6d53bb4b5c2. https://liferay.atlassian.net/browse/LPE-177853. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62261

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.