CVE-2025-3526

Опубликовано: 16 июн. 2025

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Ссылки

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*

Версия от 7.0 (включая) до 7.2 (включая)

cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update2:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update21:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update22:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update23:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update24:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update3:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update4:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update5:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update6:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update7:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update8:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.3:update9:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*

cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*

cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*

Версия от 7.0.0 (включая) до 7.4.3.21 (включая)

cpe:2.3:a:liferay:liferay_portal:6.2:*:*:*:enterprise:*:*:*

EPSS

Процентиль: 41%

0.00186

Низкий

7.5 High

CVSS3

Дефекты

CWE-400

Связанные уязвимости

GHSA-mf3r-6m25-3867

github

8 месяцев назад

Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session