N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62275

CVE-2025-62275: Liferay Portal and DXP do not check permissions of images in a blog entry

Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62275

CVE-2025-62275:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay:com.liferay.blogs.item.selector.web	maven	< 6.0.19	6.0.19

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of CVE-2025-62275 indicates an improper access control vulnerability where images within blog entries can be viewed without correct permissions. The provided patches address an issue where attachments could be uploaded to a blog entry even when a workflow was active, which should have prevented such an action. The reasoning connects these two issues by hypothesizing that bypassing the workflow during the upload process is the root cause of the improper permissions on the images. When the workflow is bypassed, the images are likely created without the necessary access restrictions, making them publicly viewable via a direct URL. The patch corrects this by introducing the showDragAndDropZone method, which enforces the workflow check before allowing an upload. Therefore, this function is identified as the critical component of the fix, and its absence represents the vulnerability. The confidence is rated as medium because the provided commit messages reference different internal issue trackers than the CVE, suggesting a potential mismatch, though the code changes are in the correct module and address a plausible root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62275: Liferay Portal and DXP do not check permissions of images in a blog entry

CVE-2025-62275:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Basic Information

Basic Information

CVE-2025-62275: Liferay Portal and DXP do not check permissions of images in a blog entry

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI