CVE-2025-3586

EPSS 0.29%
Veröffentlicht 01.09.2025 18:15:29
Zuletzt bearbeitet 12.12.2025 20:08:45
Quelle security@liferay.com
CVE-Watchlists
Login
Unerledigt
Login

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts (i.e., remote code execution) through Object actions. 

In contrast, in Liferay DXP (Liferay SaaS), the use of Groovy in Object actions is not allowed due to the high security risks it poses. 

Starting from Liferay DXP 2024.Q2 and later, a new feature has been introduced in Instance Settings that allows administrators to configure whether Groovy scripts are allowed in their instances.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Liferay ≫ Digital Experience Platform Version >= 2023.Q3.1 <= 2023.Q3.10

Liferay ≫ Digital Experience Platform Version >= 2023.q4.0 <= 2023.q4.10

Liferay ≫ Digital Experience Platform Version >= 2024.Q1.1 <= 2024.Q1.20

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate27

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate28

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate29

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate30

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate31

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate32

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate33

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate34

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate35

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate36

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate37

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate38

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate39

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate40

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate41

Liferay ≫ Digital Experience Platform Version7.4 Updateupdate42

Liferay ≫ Liferay Portal Version >= 7.4.3.27 < 7.4.3.43

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.517

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@liferay.com	7.5	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3586

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-3586

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-3586

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-3586

EUVD