Описание
Liferay Portal is vulnerable to CSRF through publication comments
Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-62245
- https://github.com/liferay/liferay-portal/commit/dd89fff675f04d146fda38a1bec884cf40d0c756
- https://github.com/liferay/liferay-portal/commit/fa356d07ab239e790b7e460d33c25184aef58716
- https://liferay.atlassian.net/browse/LPE-17932
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62245
Пакеты
Наименование
com.liferay:com.liferay.change.tracking.web
maven
Затронутые версииВерсия исправления
>= 2.0.9, < 2.0.121
2.0.121
Связанные уязвимости
CVSS3: 4.3
nvd
4 месяца назад
Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments.