CVE-2025-62275: Liferay Portal and DXP do not check permissions of images in a blog entry
(updated )
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.
References
- github.com/advisories/GHSA-xf7m-v66q-76w8
- github.com/liferay/liferay-portal
- github.com/liferay/liferay-portal/commit/9856c55bcbb3b8ce1276117709b9c0082a19c62c
- github.com/liferay/liferay-portal/commit/e0ae29cfdb8d10a6fddc56d04ca3ae88c3fbc7f3
- liferay.atlassian.net/browse/LPE-17948
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62275
- nvd.nist.gov/vuln/detail/CVE-2025-62275
Code Behaviors & Features
Detect and mitigate CVE-2025-62275 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →