VYPR
High severityNVD Advisory· Published Jun 16, 2025· Updated Feb 26, 2026

CVE-2025-3594

CVE-2025-3594

Description

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the _com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.server.admin.webMaven
>= 5.0.0, < 5.0.245.0.24
com.liferay:com.liferay.server.admin.webMaven
>= 4.0.0, < 4.0.484.0.48
com.liferay:com.liferay.server.admin.webMaven
>= 3.0.0, < 3.0.673.0.67
com.liferay:com.liferay.server.admin.webMaven
>= 2.0.0, < 2.0.662.0.66
com.liferay:com.liferay.server.admin.webMaven
< 1.0.931.0.93

Affected products

3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.