Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.
PUBLISHED5.2CWE-863
Problem type
Affected products
Liferay
Portal
<= 7.4.3.111 - AFFECTED
DXP
<= 7.4.13-u92 - AFFECTED
<= 2023.Q3.10 - AFFECTED
<= 2023.Q4.10 - AFFECTED
References
GitHub Security Advisories
GHSA-xf7m-v66q-76w8
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP...
https://github.com/advisories/GHSA-xf7m-v66q-76w8Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.
JSON source
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-62275",
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"dateUpdated": "2025-11-01T02:42:50.698Z",
"dateReserved": "2025-10-09T20:58:54.403Z",
"datePublished": "2025-11-01T02:42:50.698Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay",
"dateUpdated": "2025-11-01T02:42:50.698Z"
},
"descriptions": [
{
"lang": "en",
"value": "Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL."
}
]
}
],
"affected": [
{
"vendor": "Liferay",
"product": "Portal",
"defaultStatus": "unaffected",
"versions": [
{
"version": "7.4.0",
"status": "affected",
"versionType": "maven",
"lessThanOrEqual": "7.4.3.111"
}
]
},
{
"vendor": "Liferay",
"product": "DXP",
"defaultStatus": "unaffected",
"versions": [
{
"version": "7.4.13",
"status": "affected",
"versionType": "maven",
"lessThanOrEqual": "7.4.13-u92"
},
{
"version": "2023.Q3.1",
"status": "affected",
"versionType": "maven",
"lessThanOrEqual": "2023.Q3.10"
},
{
"version": "2023.Q4.0",
"status": "affected",
"versionType": "maven",
"lessThanOrEqual": "2023.Q4.10"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-863: Incorrect Authorization",
"cweId": "CWE-863",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62275"
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
]
}
}
}