CVE-2025-62259: 
Java Schwachstellenanalyse und -minderung

Liferay Portal and Liferay DXP contain an email address verification bypass vulnerability (CVE-2025-62259) that allows remote users to access and edit content via the API before verifying their email address. The vulnerability was discovered in September 2024 and affects multiple versions of Liferay products (Liferay Security).

The vulnerability has a CVSS v4.0 score of 6.9 (Medium severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The core issue lies in the application's failure to properly restrict API access for users who haven't completed email verification (Liferay Security).

The vulnerability allows unauthorized remote users to bypass email verification requirements and gain access to content editing capabilities through the API. This could potentially lead to unauthorized content modifications and compromise the integrity of the system (Liferay Security).

The vulnerability has been patched in multiple versions including Liferay Portal 7.4.3.110, Liferay DXP 2024.Q1.1, 2023.Q4.0, 2023.Q3.5, and Liferay DXP 7.3 Update 36. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Security).

The vulnerability was responsibly disclosed by security researcher 4rth4s, demonstrating the active involvement of the security community in identifying and reporting Liferay product vulnerabilities (Liferay Security).