Liferay Portal, Email Modification Vulnerability, CVE-2025-XXXX (Moderate)

By /

Listen to this Post

The CVE-2025-XXXX vulnerability exploits an improper access control flaw within Liferay’s Calendar portlet. Any authenticated user, regardless of their permissions, can intercept and manipulate the parameters of a request made when creating or updating a calendar event. This request contains the data used to generate notification emails for event invites. By tampering with these parameters using a web proxy, an attacker can inject arbitrary content into the email’s subject and body fields. The application fails to validate if the user has the appropriate rights to modify these email templates. Consequently, the portal’s SMTP service will dispatch the maliciously crafted email, which appears to originate from a legitimate system notification, to the targeted recipient within the same organization, enabling phishing campaigns.
Platform: Liferay Portal/DXP
Version: 7.4.0 – 7.4.3.132
Vulnerability: Email Modification
Severity: Moderate

date: 2025-08-19

Prediction: Patch: 2025-08-26

What Undercode Say:

`curl -X POST ‘http:///api/jsonws/calendar.calendarbooking/add-calendar-booking’ -H ‘Content-Type: application/x-www-form-urlencoded’ –data-raw ‘…&description=&=…’`

How Exploit:

Intercept calendar event request.

Modify email body and subject parameters.

Forward request to send phishing email.

Protection from this CVE:

Apply vendor patch.

Implement input sanitization.

Enforce strict access controls.

Impact:

Authenticated phishing attacks.

Reputational damage.

Information disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top