CVE-2025-62245
EPSS 0.01%Liferay Portal is vulnerable to CSRF through publication comments
Published: 10/10/2025Modified: 10/13/2025
Description
Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments.
Affected packages (1)
- Maven/com.liferay:com.liferay.change.tracking.web>= 2.0.9, < 2.0.121
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-62245
- PATCHhttps://github.com/liferay/liferay-portal
- WEBhttps://github.com/liferay/liferay-portal/commit/dd89fff675f04d146fda38a1bec884cf40d0c756
- WEBhttps://github.com/liferay/liferay-portal/commit/fa356d07ab239e790b7e460d33c25184aef58716
- WEBhttps://liferay.atlassian.net/browse/LPE-17932
- WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62245