CVE-2025-62275

Published Nov 1, 2025

Last updated 4 months ago

CVSS medium 6.9

Overview

Description: Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.
Source: security@liferay.com
NVD status: Analyzed
Products: digital_experience_platform, liferay_portal

Risk scores

CVSS 4.0

Type: Secondary
Base score: 6.9
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: MEDIUM

CVSS 3.1

Type: Primary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM

Weaknesses

security@liferay.com: CWE-863

Hype score: Not currently trending

Liferay's blog images had one job: respect access controls. CVE-2025-62275 shows they chose chaos instead. Any URL, any image, no auth needed. Classic case of "we secured the front door but left the windows wide open" https://t.co/rd1wQTz4p3
@gothburz
2 Nov 2025
149 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*",
            "matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*",
            "matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*",
            "matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*",
            "matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.5:*:*:*:*:*:*:*",
            "matchCriteriaId": "62432289-E1DC-4013-85C7-6B77299A910F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.6:*:*:*:*:*:*:*",
            "matchCriteriaId": "0912EEFE-DC56-43F6-AE0E-A4E2A033F3C5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.7:*:*:*:*:*:*:*",
            "matchCriteriaId": "9398F679-5F47-4DF2-AA91-4A21126675C6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.8:*:*:*:*:*:*:*",
            "matchCriteriaId": "8296B54A-976A-404C-AB77-0619E4297A69",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.9:*:*:*:*:*:*:*",
            "matchCriteriaId": "F778EB15-2AB0-44C1-BD99-9F7F1851E167",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.10:*:*:*:*:*:*:*",
            "matchCriteriaId": "625E6C10-D0C7-4C5D-99F8-601A7B942392",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "B5CE3202-2723-44A6-B63F-061138287FDA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "A27A8480-7EE1-4265-9117-D6C234ACAC5F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.2:*:*:*:*:*:*:*",
            "matchCriteriaId": "94425688-725E-41DC-B2D3-14F2A7163AD6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.3:*:*:*:*:*:*:*",
            "matchCriteriaId": "623CA096-BDBB-4F59-B734-07FB405800CE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.4:*:*:*:*:*:*:*",
            "matchCriteriaId": "30B27CBE-14BA-4EBB-8B74-91DD1228A1F5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.5:*:*:*:*:*:*:*",
            "matchCriteriaId": "81EDBB1C-9EBB-4FAD-ADAC-B5A890BB3F50",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.6:*:*:*:*:*:*:*",
            "matchCriteriaId": "658B4C0D-D8A2-40DF-87BE-A2E148082BB7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.7:*:*:*:*:*:*:*",
            "matchCriteriaId": "9C3DD89D-A40C-4C31-B698-A23C4A6F243E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.8:*:*:*:*:*:*:*",
            "matchCriteriaId": "C785189B-09C0-4395-A8C5-4C548836B08C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.9:*:*:*:*:*:*:*",
            "matchCriteriaId": "C436962A-5DAC-4843-9EE9-3E18F1524BE0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.10:*:*:*:*:*:*:*",
            "matchCriteriaId": "DFCAE569-D95A-4635-8E92-5142A7C70F51",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "2D6470C7-9D36-43F3-86CB-B79ED9EA53F4",
            "versionEndExcluding": "7.4.3.112",
            "versionStartIncluding": "7.4.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 4.0

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References