CVE-2025-62257 Lockout mechanism doesn't prevent password enumeration brute force attacks

Description

Password enumeration vulnerability in Liferay Portal and Liferay DXP allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.

Severity

6.3 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions
Liferay DXP 2024.Q1 through 2024.Q1.5
Liferay DXP 2023.Q3
Liferay DXP 2023.Q4
Liferay DXP 7.4, and older unsupported versions

Fixed Version(s)

Liferay Portal 7.4.3.120
Liferay DXP 2024.Q4.0
Liferay DXP 2024.Q3.0
Liferay DXP 2024.Q2.0
Liferay DXP 2024.Q1.6

Publication date: Wed, 29 Oct 2025 11:25:00 +0000

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)