Miggo Logo
Miggo Vulnerability Database
CVE-2025-62245

CVE-2025-62245: Liferay Portal is vulnerable to CSRF through publication comments

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-62245
GHSA ID
GHSA-9676-rh83-cr86
EPSS Score
0.14853%
CWE
CWE-352
Published
10/10/2025
Updated
10/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.liferay:com.liferay.change.tracking.webmaven>= 2.0.9, < 2.0.1212.0.121

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis of the provided patches indicates that the vulnerability is a classic case of Cross-Site Request Forgery (CSRF) within the Liferay Portal's comment publication feature. The root cause of the vulnerability is the lack of proper security checks in the doServeResource method of the UpdateCTCommentMVCResourceCommand class.

The first commit, dd89fff675f04d146fda38a1bec884cf40d0c756, introduces a check to ensure that all requests to this endpoint are of the POST method. This is a standard mitigation for CSRF, as it prevents simple attacks that rely on embedding malicious URLs in iframes or image tags. The fact that this check was missing indicates that the endpoint was previously vulnerable to GET-based CSRF attacks.

The second commit, fa356d07ab239e790b7e460d33c25184aef58716, further strengthens the security of the endpoint by adding a CSRF token check using AuthTokenUtil.checkCSRFToken. This ensures that even POST requests must contain a valid, user-specific token, effectively preventing attackers from forging requests from a different origin.

Based on this evidence, the doServeResource function is identified as the vulnerable function. During an exploit, this function would be present in the runtime profile as it is the entry point for the vulnerable action of adding or editing a publication comment. The patches directly modify this function to add the necessary security controls that were previously absent.

Vulnerable functions

com.liferay.change.tracking.web.internal.portlet.action.UpdateCTCommentMVCResourceCommand.doServeResource
modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/action/UpdateCTCommentMVCResourceCommand.java
The vulnerability lies in the `doServeResource` method, which is responsible for handling requests to update comments. The initial patch `dd89fff675f04d146fda38a1bec884cf40d0c756` reveals that the method did not check if the incoming request was a POST request. This omission made it possible for an attacker to craft a malicious URL that, when visited by a logged-in user, would trigger the comment update action without the user's consent. The subsequent patch `fa356d07ab239e790b7e460d33c25184aef58716` further reinforces this by adding a CSRF token check, confirming that the endpoint was not protected against cross-site request forgery.

WAF Protection Rules

WAF Rule

*ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, *n* *.* ** t*rou** up**t* ** *llows r*mot* *tt**k*rs to *** *n* **it pu*li**tion *om

Reasoning

T** *n*lysis o* t** provi*** p*t***s in*i**t*s t**t t** vuln*r**ility is * *l*ssi* **s* o* *ross-Sit* R*qu*st *or**ry (*SR*) wit*in t** Li**r*y Port*l's *omm*nt pu*li**tion ***tur*. T** root **us* o* t** vuln*r**ility is t** l**k o* prop*r s**urity *