CVE-2025-3526

Summary

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.0.0 <= 7.4.3.21affected
LiferayDXP6.2.0 <= portal-173affected
LiferayDXP7.0.10 <= de-102affected
LiferayDXP7.1.10 <= dxp-28affected
LiferayDXP7.2.10 <= dxp-20affected
LiferayDXP7.3.10 <= 7.3.10-u25affected
LiferayDXP7.4.13 <= 7.4.13-u9affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References