Home
MEDIUM: 6.9 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:NDefault status
unaffected
7.4.0 (maven)
affected
Default status
unaffected
7.4.13-u80 (maven)
affected
2024.Q1.1 (maven)
affected
2024.Q2.0 (maven)
affected
2024.Q3.0 (maven)
affected
2024.Q4.0 (maven)
affected
2025.Q1.0 (maven)
affected
Description
The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Product status
7.4.0 (maven)
7.4.13-u80 (maven)
2024.Q1.1 (maven)
2024.Q2.0 (maven)
2024.Q3.0 (maven)
2024.Q4.0 (maven)
2025.Q1.0 (maven)
Credits
Gareth Catterall, AnchorSec security team
References
liferay.dev/.../-/asset_publisher/jekt/content/CVE-2025-4604