CVE-2025-3526 Information

Description

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21 and Liferay DXP 7.4 GA through update 9 7.3 GA through update 25 and older unsupported versions does not restrict the saving of request parameters in the HTTP session which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Reference

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526

Related CNNVD

CNNVD-202506-1892 (Published: 2025-06-16)