CVE-2025-62256

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.109 Liferay DXP versions 2023.Q3.1 through 2023.Q3.7 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal 7.4 GA through update 92 older unsupported versions

Description The software does not properly restrict access to OpenAPI in certain circumstances, allowing remote attackers to access the OpenAPI YAML file via a crafted URL. The OpenAPI YAML file can be accessed through a specifically designed URL.

Recommendations Liferay Portal versions 7.3 GA through update 35: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay Portal versions 7.4.0 through 7.4.3.109: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay DXP versions 2023.Q3.1 through 2023.Q3.7: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay DXP versions 2023.Q4.0 through 2023.Q4.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay Portal 7.4 GA through update 92: At the moment, there is no information about a newer version that contains a fix for this vulnerability. older unsupported versions: At the moment, there is no information about a newer version that contains a fix for this vulnerability.