Description
A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal and Liferay DXP that affects custom object attachment fields. This flaw allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources.
Severity
4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Affected Version(s)
- Liferay Portal 7.4.0 through 7.4.3.129
- Liferay DXP 2024.Q4.0 through DXP 2024.Q4.7
- Liferay DXP 2024.Q3.0 through DXP 2024.Q3.13
- Liferay DXP 2024.Q2.0 through DXP 2024.Q2.13
- Liferay DXP 2024.Q1.1 through DXP 2024.Q1.20
Fixed Version(s)
- Liferay Portal 7.4.3.132
- Liferay DXP 2025.Q1.0
- Liferay DXP 2025.Q2.0
Publication date: Mon, 08 Sep 2025 11:27:00 +0000