CVE-2025-3526
EPSS 0.36%Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session
發布日:2025/6/16修改日:2025/6/16
描述
SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.
受影響套件(1)
- Maven/com.liferay.portal:com.liferay.portal.kernelfrom 0, < 38.0.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-3526
- PATCHhttps://github.com/liferay/liferay-portal
- WEBhttps://github.com/liferay/liferay-portal/commit/429834b7cf7c131576f196466a386bb6ce764716
- WEBhttps://github.com/liferay/liferay-portal/commit/b40fe110eb9d264c9c1a79ff77da317bbe6fa528
- WEBhttps://github.com/liferay/liferay-portal/commit/d9108a12269e6b27689b2fd06f66fb881c8ec894
- WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526