Home

Description

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.

PUBLISHED Reserved 2025-10-09 | Published 2025-10-29 | Updated 2025-10-30 | Assigner Liferay




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-307 Improper Restriction of Excessive Authentication Attempts

Product status

Default status
unaffected

7.4.0 (maven)
affected

Default status
unaffected

2023.Q3.1 (maven)
affected

2023.Q4.0 (maven)
affected

2024.Q1.1 (maven)
affected

References

liferay.dev/...-/asset_publisher/jekt/content/CVE-2025-62257

cve.org (CVE-2025-62257)

nvd.nist.gov (CVE-2025-62257)

Download JSON