CVE-2025-4604

Summary

The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.0 <= 7.4.3.132affected
LiferayDXP7.4.13-u80 <= 7.4.13-u92affected
LiferayDXP2024.Q1.1 <= 2024.Q1.16affected
LiferayDXP2024.Q2.0 <= 2024.Q2.13affected
LiferayDXP2024.Q3.0 <= 2024.Q3.13affected
LiferayDXP2024.Q4.0 <= 2024.Q4.7affected
LiferayDXP2025.Q1.0 <= 2025.Q1.15affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References