Description

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.

Remediation

References

CVE-2025-62257

Related Vulnerabilities

WordPress Plugin Post Pay Counter PHP Object Injection (2.730)

Oracle JRE CVE-2023-21937 Vulnerability (CVE-2023-21937)

Apache HTTP Server Resource Management Errors Vulnerability (CVE-2007-6750)

Liferay DXP Observable Discrepancy Vulnerability (CVE-2024-26268)

MediaWiki Improper Input Validation Vulnerability (CVE-2013-1816)

Severity

Medium

Classification

CVE-2025-62257 CWE-307 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities