PT-2025-44047 · Liferay · Liferay Portal+1
Published
2025-10-27
·
Updated
2025-11-10
·
CVE-2025-62261
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.4.0 through 7.4.3.99
Liferay Portal versions 7.4 GA through update 92
Liferay Portal versions 7.3 GA through update 34
Liferay DXP versions 2023.Q3.1 through 2023.Q3.4
Older unsupported versions of Liferay Portal and Liferay DXP
Description
The software stores password reset tokens in plain text. This allows attackers who gain access to the database to obtain the token, reset a user’s password, and take over the user’s account.
Recommendations
Update Liferay Portal to a version after 7.4.3.99.
Update Liferay Portal to a version after update 92.
Update Liferay Portal to a version after update 34.
Update Liferay DXP to a version after 2023.Q3.4.
Fix
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal