PT-2025-45723 — CSRF in Maven Com.Liferay.Portal:Release.Portal.Bom

PT-2025-45723 · Maven · Com.Liferay.Portal:Release.Portal.Bom

Published

2025-10-28

Updated

2025-10-28

CVSS v4.0

7.0

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the endpoint parameter.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

GHSA-GH4W-8QGQ-8W9R

Affected Products

Com.Liferay.Portal:Release.Portal.Bom

PT-2025-45723 · Maven · Com.Liferay.Portal:Release.Portal.Bom

Weakness Enumeration

Related Identifiers

Affected Products

References · 4