CVE-2025-4604

Severity CVSS v4.0:

MEDIUM

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

04/08/2025

Last modified:

05/08/2025

Description

The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 6.90 MEDIUM
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): Active
Confidentiality (VC): High
Integrity (VI): Low
Availability (VA): None
Confidentiality (SC): High
Integrity (SI): Low
Availability (SA): None

Base Score 4.0

6.90

Severity 4.0

MEDIUM

References to Advisories, Solutions, and Tools

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4604