CVE-2025-3526
Severity CVSS v4.0:
HIGH
Type:
CWE-400
Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
16/06/2025
Last modified:
16/12/2025
Description
SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* | 7.0 (including) | 7.2 (including) |
| cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update15:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update16:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update17:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update18:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update19:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update2:*:*:*:*:*:* | ||
| cpe:2.3:a:liferay:digital_experience_platform:7.3:update20:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page