Description

Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing a request that returns a large number of objects.

Remediation

References

CVE-2025-62260

Related Vulnerabilities

Roundcube Multiple Buffer Overflow Vulnerabilities (CVE-2015-2181)

Varnish Cache Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2013-4484)

WordPress Plugin Advanced Advertising System PHP Object Injection (1.3.1)

WordPress Plugin Htaccess by BestWebSoft Cross-Site Request Forgery (1.8.1)

Artifactory Improper Handling of Exceptional Conditions Vulnerability (CVE-2023-42509)

Severity

High

Classification

CVE-2025-62260 CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities