Security Listings
Description
The ComboServlet in Liferay Portal and Liferay DXP does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.
Severity
6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N)
Affected Version(s)
- Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions
- Liferay DXP 2023.Q4.0 through 2023.Q4.2
- Liferay DXP 2023.Q3.1 through 2023.Q3.5
- Liferay DXP 7.4 GA through U92
- Liferay DXP 7.3 GA through U35, and older unsupported versions
Fixed Version(s)
- Liferay Portal 7.4.3.112
- Liferay DXP 2024.Q1.1
- Liferay DXP 2023.Q4.3
- Liferay DXP 2023.Q3.6
- Liferay DXP 7.3 U36
Publication Date:
octobre 23, 2025
Found a Bug?
If you have found, or think you have found a bug, help us to help you by letting us know!
Found a Security Vulnerability?
There's a different process available if you have a security issue to report...
Hall of Fame!
Raise your profile - report security vulnerabilities and enter the Hall of Fame!
Community
Company
Feedback