CVE-2025-62259: 
Java vulnerability analysis and mitigation

Liferay Portal and Liferay DXP contain a vulnerability (CVE-2025-62259) where the system does not limit access to APIs before a user has verified their email address. This vulnerability affects multiple versions including Liferay Portal 7.4.0 through 7.4.3.109 and Liferay DXP versions from 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. The vulnerability was discovered by researcher 4rth4s and was publicly disclosed on September 17, 2024 (Liferay Advisory).

The vulnerability has been assigned a CVSS v4.0 Base Score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-863 (Incorrect Authorization), allowing unauthorized access to and modification of content through the API before email verification is completed (NVD).

The vulnerability allows remote users to access and edit content via the API without having their email addresses verified, potentially compromising the security of the system by bypassing intended access controls (Miggo).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal 7.4.3.110, Liferay DXP 2024.Q1.1, DXP 2023.Q4.0, DXP 2023.Q3.5, or DXP 7.3 Update 36 depending on their current version (Liferay Advisory).