CVE-2025-62251 The Menu Display Widget shows content to users without permission to view it

Description

Liferay Portal and Liferay DXP shows content to users who do not have permission to view it via the Menu Display Widget. This security flaw could result in sensitive information being exposed to unauthorized users.

Severity

4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)

Affected Version(s)

  • Liferay Portal 7.3.0 through 7.4.3.119
  • Liferay DXP 2023.Q4.0 through 2023.Q4.5
  • Liferay DXP 2023.Q3.1 through 2023.Q3.8
  • Liferay DXP 7.4, and older unsupported versions

Fixed Version(s)

  • Liferay Portal 7.4.3.120
  • Liferay DXP 2024.Q2.0
  • Liferay DXP 2024.Q1.1
  • Liferay DXP 2023.Q4.6
  • Liferay DXP 2023.Q3.9

Publication date: Wed, 06 Nov 2024 16:30:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.