CVE-2025-62258
27.10.2025, 23:15
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.
| Vendor | Product | Version |
|---|---|---|
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3:fix_pack_1 |
| liferay | digital_experience_platform | 7.3:fix_pack_2 |
| liferay | digital_experience_platform | 7.3:service_pack_1 |
| liferay | digital_experience_platform | 7.3:service_pack_2 |
| liferay | digital_experience_platform | 7.3:service_pack_3 |
| liferay | digital_experience_platform | 7.3:update1 |
| liferay | digital_experience_platform | 7.3:update10 |
| liferay | digital_experience_platform | 7.3:update11 |
| liferay | digital_experience_platform | 7.3:update12 |
| liferay | digital_experience_platform | 7.3:update13 |
| liferay | digital_experience_platform | 7.3:update14 |
| liferay | digital_experience_platform | 7.3:update15 |
| liferay | digital_experience_platform | 7.3:update16 |
| liferay | digital_experience_platform | 7.3:update17 |
| liferay | digital_experience_platform | 7.3:update18 |
| liferay | digital_experience_platform | 7.3:update19 |
| liferay | digital_experience_platform | 7.3:update2 |
| liferay | digital_experience_platform | 7.3:update20 |
| liferay | digital_experience_platform | 7.3:update21 |
| liferay | digital_experience_platform | 7.3:update22 |
| liferay | digital_experience_platform | 7.3:update23 |
| liferay | digital_experience_platform | 7.3:update24 |
| liferay | digital_experience_platform | 7.3:update25 |
| liferay | digital_experience_platform | 7.3:update26 |
| liferay | digital_experience_platform | 7.3:update27 |
| liferay | digital_experience_platform | 7.3:update28 |
| liferay | digital_experience_platform | 7.3:update29 |
| liferay | digital_experience_platform | 7.3:update3 |
| liferay | digital_experience_platform | 7.3:update30 |
| liferay | digital_experience_platform | 7.3:update31 |
| liferay | digital_experience_platform | 7.3:update32 |
| liferay | digital_experience_platform | 7.3:update33 |
| liferay | digital_experience_platform | 7.3:update34 |
| liferay | digital_experience_platform | 7.3:update35 |
| liferay | digital_experience_platform | 7.3:update4 |
| liferay | digital_experience_platform | 7.3:update5 |
| liferay | digital_experience_platform | 7.3:update6 |
| liferay | digital_experience_platform | 7.3:update7 |
| liferay | digital_experience_platform | 7.3:update8 |
| liferay | digital_experience_platform | 7.3:update9 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 2023.q3.1:q3.1 |
| liferay | digital_experience_platform | 2023.q3.2:q3.2 |
| liferay | digital_experience_platform | 2023.q3.3:q3.3 |
| liferay | digital_experience_platform | 2023.q3.4:q3.4 |
| liferay | liferay_portal | 7.4.0 ≤ 𝑥 < 7.4.3.108 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration