Description
The ComboServlet in Liferay Portal and Liferay DXP does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.
Severity
6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N)
Affected Version(s)
- Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions
- Liferay DXP 2023.Q4.0 through 2023.Q4.2
- Liferay DXP 2023.Q3.1 through 2023.Q3.5
- Liferay DXP 7.4 GA through U92
- Liferay DXP 7.3 GA through U35, and older unsupported versions
Fixed Version(s)
- Liferay Portal 7.4.3.112
- Liferay DXP 2024.Q1.1
- Liferay DXP 2023.Q4.3
- Liferay DXP 2023.Q3.6
- Liferay DXP 7.3 U36
Publication date: Thu, 23 Oct 2025 10:11:00 +0000