Primary

Context

Liferay Portal and DXP Kaleo Forms Admin Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in the Kaleo Forms Admin component of Liferay Portal versions 7.0.0 to 7.4.3.4, as well as Liferay DXP versions 7.4 GA, 7.3 GA through update 27, and older unsupported versions. The vulnerability arises because the application does not properly restrict the saving of request parameters in the portlet session. This oversight allows remote attackers to craft HTTP requests that consume system memory, leading to denial-of-service conditions.

Impact

Exploitation of this vulnerability can cause excessive memory consumption, resulting in denial-of-service conditions where the system becomes unresponsive or unavailable.

Remediation

Users can upgrade to Liferay Portal 7.4.3.5, Liferay DXP 7.4 update 1, or Liferay DXP 7.3 update 28 to address this vulnerability.

Added: Sep 4, 2025, 10:56 AM

Updated: Sep 4, 2025, 6:34 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and DXP Kaleo Forms Admin Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating