Primary

Context

Liferay Portal and DXP Email Verification Bypass Vulnerability Allowing API Access and Content Modification

Vulnerability

Patched

A vulnerability exists in Liferay Portal versions 7.4.0 through 7.4.3.109, older unsupported versions, and Liferay DXP versions 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. This vulnerability allows remote users to access and edit content via the API, as the system does not restrict API access before a user has verified their email address.

Impact

Exploitation of this vulnerability allows for unauthorized access to APIs, enabling remote users to access and modify content through the API.

Remediation

Users can upgrade to Liferay Portal 7.4.3.110, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, or Liferay DXP 7.3 Update 36.

Added: Oct 27, 2025, 11:17 PM

Updated: Oct 27, 2025, 11:17 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

7.4

remediation

7.7

relevance

0.9

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

7.4

remediation

7.7

relevance

0.9

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and DXP Email Verification Bypass Vulnerability Allowing API Access and Content Modification

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating