Primary

Context

Liferay Portal and DXP Login Bypass Vulnerability with MFA Enabled

Vulnerability

A vulnerability exists in Liferay Portal versions 7.3.0 to 7.4.3.132, as well as Liferay DXP versions 2025.Q1 (through 2025.Q1.6), 2024.Q4.0 to 2024.Q4.7, 2024.Q3.1 to 2024.Q3.13, 2024.Q2.0 to 2024.Q2.13, 2024.Q1.1 to 2024.Q1.15, 7.4 GA through update 92, and 7.3 GA through update 36. This vulnerability allows unauthenticated users with valid credentials to bypass the login process on sites with multi-factor authentication (MFA) enabled. The issue arises by changing the POST method to GET, effectively circumventing the MFA requirement.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts by bypassing the login process, potentially leading to unauthorized actions or access to sensitive information within the portal or DXP environment.

Added: Aug 18, 2025, 5:25 PM

Updated: Aug 18, 2025, 5:25 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

6.6

remediation

0.0

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

6.6

remediation

0.0

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and DXP Login Bypass Vulnerability with MFA Enabled

Vulnerability

Impact

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating