Primary

Context

Liferay Portal and Liferay DXP Insufficient Session Expiration Vulnerability Allowing Session Reuse via SLO API

Vulnerability

Patched

A vulnerability allowing insufficient session expiration has been identified in Liferay Portal versions 7.4.3.121 through 7.3.3.131, as well as in Liferay DXP versions 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12. This vulnerability allows remote, non-authenticated attackers to reuse old user sessions by exploiting the Single Logout (SLO) API.

Impact

Exploitation of this vulnerability allows for the reuse of old user sessions, potentially leading to unauthorized access or actions on behalf of the user.

Remediation

Users can upgrade to Liferay Portal 7.4.3.132 or Liferay DXP versions 2025.Q1.0, 2024.Q1.13, or 2024.Q4.4 to address this vulnerability.

Added: Sep 24, 2025, 2:17 AM

Updated: Sep 24, 2025, 2:17 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

7.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

7.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and Liferay DXP Insufficient Session Expiration Vulnerability Allowing Session Reuse via SLO API

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating