Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session
High severity
GitHub Reviewed
Published
Jun 16, 2025
to the GitHub Advisory Database
•
Updated Jun 16, 2025
Package
Affected versions
< 38.0.0
Patched versions
38.0.0
Description
Published by the National Vulnerability Database
Jun 16, 2025
Published to the GitHub Advisory Database
Jun 16, 2025
Reviewed
Jun 16, 2025
Last updated
Jun 16, 2025
SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.
References