N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62261

GHSA ID

GHSA-xcj6-xpjg-c4xr

EPSS Score

0.0608%

CWE

CWE-312

Published

10/28/2025

Updated

10/29/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62261

CVE-2025-62261: Liferay Portal Stores Password Reset Tokens in Plain Text

Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s account.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62261

GHSA ID

GHSA-xcj6-xpjg-c4xr

EPSS Score

0.0608%

CWE

CWE-312

Published

10/28/2025

Updated

10/29/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.4.0-ga1, < 7.4.3.100	7.4.3.100
com.liferay.portal:com.liferay.portal.impl	maven	< 92.0.2	92.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch b228c7878f2ed5ad8dbc1ff7ec9b5e6d53bb4b5c clearly indicates a security vulnerability within the notifyUser method of the com.liferay.portal.service.impl.UserLocalServiceImpl class. The vulnerability lies in the handling of password reset tokens. The patch introduces encryption for the password reset token (ticket.getKey()) before it is persisted. The lines ticket.setKey(PasswordEncryptorUtil.encrypt(ticket.getKey())); and _ticketLocalService.updateTicket(ticket); are the explicit fix. This confirms that prior to this change, the token was stored in cleartext, which is the core of the described vulnerability (CVE-2025-62261). Therefore, the notifyUser function is the vulnerable function, as it is responsible for generating and storing the unencrypted token.

Vulnerable functions

com.liferay.portal.service.impl.UserLocalServiceImpl.notifyUser

portal-impl/src/com/liferay/portal/service/impl/UserLocalServiceImpl.java

The `notifyUser` function generates a password reset token (ticket) for new users. Before the patch, the token's key (`ticket.getKey()`) was stored in the database in plaintext. An attacker with database access could retrieve this token and use it to reset the user's password and take over the account. The patch fixes this by encrypting the ticket key before it's stored.

WAF Protection Rules

WAF Rule

Li**r*y Port*l *.*.* t*rou** *.*.*.**, *n* ol**r unsupport** v*rsions, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, *.* ** t*rou** up**t* **, *.* ** t*rou** up**t* **, *n* ol**r unsupport** v*rsions stor*s p*sswor* r*s*t tok*ns in pl*in t*xt, w*i** *

Reasoning

T** *n*lysis o* t** provi*** p*t** `****************************************` *l**rly in*i**t*s * s**urity vuln*r**ility wit*in t** `noti*yUs*r` m*t*o* o* t** `*om.li**r*y.port*l.s*rvi**.impl.Us*rLo**lS*rvi**Impl` *l*ss. T** vuln*r**ility li*s in t**

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62261: Liferay Portal Stores Password Reset Tokens in Plain Text

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI