CVE-2025-3526

EUVD-2025-18403
SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Affected Products (NVD)
VendorProductVersion
liferaydigital_experience_platform
7.0 ≤
𝑥
≤ 7.2
liferaydigital_experience_platform
7.3
liferaydigital_experience_platform
7.3:update1
liferaydigital_experience_platform
7.3:update10
liferaydigital_experience_platform
7.3:update11
liferaydigital_experience_platform
7.3:update12
liferaydigital_experience_platform
7.3:update13
liferaydigital_experience_platform
7.3:update14
liferaydigital_experience_platform
7.3:update15
liferaydigital_experience_platform
7.3:update16
liferaydigital_experience_platform
7.3:update17
liferaydigital_experience_platform
7.3:update18
liferaydigital_experience_platform
7.3:update19
liferaydigital_experience_platform
7.3:update2
liferaydigital_experience_platform
7.3:update20
liferaydigital_experience_platform
7.3:update21
liferaydigital_experience_platform
7.3:update22
liferaydigital_experience_platform
7.3:update23
liferaydigital_experience_platform
7.3:update24
liferaydigital_experience_platform
7.3:update25
liferaydigital_experience_platform
7.3:update3
liferaydigital_experience_platform
7.3:update4
liferaydigital_experience_platform
7.3:update5
liferaydigital_experience_platform
7.3:update6
liferaydigital_experience_platform
7.3:update7
liferaydigital_experience_platform
7.3:update8
liferaydigital_experience_platform
7.3:update9
liferaydigital_experience_platform
7.4
liferaydigital_experience_platform
7.4:update1
liferaydigital_experience_platform
7.4:update2
liferaydigital_experience_platform
7.4:update3
liferaydigital_experience_platform
7.4:update4
liferaydigital_experience_platform
7.4:update5
liferaydigital_experience_platform
7.4:update6
liferaydigital_experience_platform
7.4:update7
liferaydigital_experience_platform
7.4:update8
liferaydigital_experience_platform
7.4:update9
liferayliferay_portal
7.0.0 ≤
𝑥
≤ 7.4.3.21
liferayliferay_portal
6.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526