N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62262

GHSA ID

GHSA-cw79-fq4f-9r96

EPSS Score

0.01482%

CWE

CWE-532

Published

10/27/2025

Updated

10/29/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62262

CVE-2025-62262: Liferay Portal Vulnerable to Information Exposure Through a Log File Vulnerability in LDAP Import Feature

Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows local users to view user email address in the log files.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62262

GHSA ID

GHSA-cw79-fq4f-9r96

EPSS Score

0.01482%

CWE

CWE-532

Published

10/27/2025

Updated

10/29/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay:com.liferay.portal.security.ldap.impl	maven	>= 4.0.2, < 4.0.54	4.0.54

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the logging of sensitive user information (email addresses) during the LDAP import process. The analysis of the provided patch fc14297acd87703ba1027d691fa27a6b96bbb57c clearly shows that the log level for a message containing a user's email address was changed from INFO to DEBUG. This change was made in the _updateUser method of the com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl class. Logging at the INFO level is common in production environments, making the user's email address visible in the logs. By changing the log level to DEBUG, the information is less likely to be exposed in a production setting. Therefore, the _updateUser function is identified as the vulnerable function as it was responsible for logging the sensitive data.

Vulnerable functions

com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl._updateUser

modules/apps/portal-security/portal-security-ldap-impl/src/main/java/com/liferay/portal/security/ldap/internal/exportimport/LDAPUserImporterImpl.java

The `_updateUser` method in the `LDAPUserImporterImpl` class logged user email addresses at the INFO level. This could expose sensitive user information in production logs where the INFO log level is commonly enabled. The vulnerability is that sensitive data (email address) is written to a log file.

WAF Protection Rules

WAF Rule

In*orm*tion *xposur* t*rou** lo* *il* vuln*r**ility in L**P import ***tur* in Li**r*y Port*l *.*.* t*rou** *.*.*.**, *n* ol**r unsupport** v*rsions, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, *.* ** t*rou** up**t* **, *.* ** t*rou** up**t* **, *n*

Reasoning

T** vuln*r**ility li*s in t** lo**in* o* s*nsitiv* us*r in*orm*tion (*m*il ***r*ss*s) *urin* t** L**P import pro**ss. T** *n*lysis o* t** provi*** p*t** `****************************************` *l**rly s*ows t**t t** lo* l*v*l *or * m*ss*** *ont*in

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62262: Liferay Portal Vulnerable to Information Exposure Through a Log File Vulnerability in LDAP Import Feature

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI