CVE-2025-3526 DoS vulnerability with SessionClicks

Description

SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Severity

8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

Affected Version(s)

Liferay Portal 7.0.0 through 7.4.3.21
Liferay DXP 7.4 GA through Update 9
Liferay DXP 7.3 GA through Update 25
Liferay DXP 7.2
Liferay DXP 7.1
Liferay DXP 7.0
Liferay Portal 6.2 EE

Fixed Version(s)

Liferay Portal 7.4.3.22
Liferay DXP 7.4 Update 10
Liferay DXP 7.3 Update 26

Publication date: Mon, 07 Oct 2024 16:23:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)