Liferay Portal
Moderate fix1 remedy
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 7.4.3.94, <= 7.4.3.132
Liferay Portal and Liferay DXP Email Content Modification Vulnerability in Calendar Portlet
Vulnerability
Patched
A vulnerability exists in Liferay Portal versions 7.4.0 through 7.4.3.132, as well as in Liferay DXP versions 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16, and Liferay DXP 7.4 GA through update 92. This vulnerability allows any authenticated user to alter the content of emails dispatched via the calendar portlet. Consequently, an attacker could send phishing emails to other users within the same organization.
Impact
Exploitation of this vulnerability could lead to unauthorized modification of email content, allowing for phishing attacks against other users in the organization.
Remediation
Liferay Portal users can upgrade to the latest version available on the master branch. Liferay DXP users should upgrade to version 2025.Q2.0 or 2025.Q1.7.
Added: Aug 19, 2025, 2:22 PM
Updated: Aug 19, 2025, 2:22 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
0.6exploitability
5.0remediation
7.7relevance
0.4threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.