Primary

Context

Liferay Portal and Liferay DXP Cross-Site Request Forgery Vulnerability

Vulnerability

Patched

A cross-site request forgery (CSRF) vulnerability has been identified in Liferay Portal versions 7.4.0 to 7.4.3.132, as well as in several Liferay DXP releases. This vulnerability allows remote attackers to perform cross-origin requests on behalf of authenticated users by exploiting the endpoint parameter.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, where an attacker can perform actions on behalf of an authenticated user.

Remediation

Users of Liferay Portal can update to the latest version available on the master branch. Liferay DXP users should upgrade to version 2025.Q2.8, 2025.Q1.16 or 7.4 GA through U92.

Added: Aug 19, 2025, 7:26 PM

Updated: Aug 19, 2025, 7:26 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

6.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

6.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and Liferay DXP Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating