Description

SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs.

Remediation

References

CVE-2025-4655

Related Vulnerabilities

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-3529)

WordPress Plugin Survey Maker-Best WordPress Survey SQL Injection (3.1.1)

Zenphoto Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2007-6666)

MongoDb Missing Authorization Vulnerability (CVE-2025-13643)

WordPress Plugin WP Gravity Forms Zendesk Cross-Site Scripting (1.0.7)

Severity

Medium

Classification

CVE-2025-4655 CWE-918 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities