Primary

Context

Liferay Portal and Liferay DXP Internal Server Error Vulnerability with Deleted Client Secret

Vulnerability

Patched

A vulnerability exists in Liferay Portal versions 7.4.0 through 7.4.3.132, and in Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.19. When a login attempt is made using a deleted Client Secret, the server responds with an 'Internal Server Error' message. This issue may lead to confusion or misinterpretation of the login process, as the error does not provide clear guidance on the nature of the problem.

Impact

Exploiting this vulnerability causes the server to return an 'Internal Server Error' response, which can obscure the true nature of the issue being encountered.

Remediation

Users can upgrade to Liferay Portal's master branch or Liferay DXP versions 2024.Q1.20, 2025.Q1.17, or 2025.Q2.10 to address this vulnerability.

Added: Sep 9, 2025, 3:16 AM

Updated: Sep 9, 2025, 3:16 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Liferay Portal and Liferay DXP Internal Server Error Vulnerability with Deleted Client Secret

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating