CVE-2025-62276 is a vulnerability categorized under CWE-525, which concerns the use of web browser cache containing sensitive information. The issue affects Liferay Portal versions 7.4.0 through 7.4.3.111, older unsupported versions, and multiple Liferay DXP 2023 Q3 and Q4 releases. The root cause is the incorrect implementation of cache-control headers in the Document Library and Adaptive Media modules. These headers govern how browsers cache downloaded files. Due to improper cache-control, sensitive files downloaded via the portal are stored in the browser cache without adequate protection. This allows local users with access to the same machine to retrieve these cached files, potentially exposing confidential data. The vulnerability requires local access and user interaction (such as downloading files) but does not require authentication or elevated privileges. The CVSS 4.0 score is 4.6 (medium severity), reflecting limited attack vector (local), low complexity, and partial impact on confidentiality and integrity. No known exploits have been reported in the wild, but the vulnerability poses a risk of sensitive data leakage in environments where multiple users share workstations or where endpoint security is weak. The issue is particularly relevant for organizations relying on Liferay Portal for document management and media delivery, as cached sensitive files could be accessed by unauthorized local users.

For European organizations, the primary impact is the potential unauthorized disclosure of sensitive information stored in downloaded files cached by browsers. This can lead to data breaches, loss of confidentiality, and potential compliance violations under regulations such as GDPR. The vulnerability does not directly affect system integrity or availability but can undermine trust in document management systems. Organizations with shared workstations or insufficient endpoint security controls are at higher risk. Public sector entities, financial institutions, and enterprises using Liferay Portal for sensitive document handling could face reputational damage and regulatory penalties if sensitive cached data is accessed by unauthorized personnel. The local access requirement limits remote exploitation, but insider threats or compromised endpoints could exploit this vulnerability. Additionally, the need for user interaction means phishing or social engineering could facilitate exploitation. Overall, the impact is moderate but significant in environments with sensitive data and shared access.

1. Apply official patches or updates from Liferay as soon as they become available to correct cache-control header implementations. 2. Until patches are released, configure web server or reverse proxy settings to enforce strict cache-control headers (e.g., 'Cache-Control: no-store, no-cache, must-revalidate') for sensitive content served by the Document Library and Adaptive Media modules. 3. Educate users to clear browser caches regularly, especially on shared or public workstations. 4. Implement endpoint security controls to restrict local user access and monitor for unauthorized file access. 5. Use browser policies or group policies to disable caching of sensitive files or enforce secure cache handling. 6. Review and limit local user privileges to reduce risk of unauthorized access to cached files. 7. Conduct security awareness training to reduce risk of social engineering that might lead to exploitation. 8. Monitor logs for unusual access patterns to cached files or document downloads. These steps go beyond generic advice by focusing on interim controls before patching and emphasizing endpoint and user behavior management.