Insecure Direct Object Reference Vulnerability in Liferay DXP by Liferay
CVE-2025-62241

5.3MEDIUM

Key Information:

Vendor: Liferay
Status: Dxp
Vendor: CVE Published:; 13 October 2025

What is CVE-2025-62241?

The vulnerability allows remote authenticated users to exploit weak access controls in Liferay DXP versions from 2023.Q4.1 to 2023.Q4.5. By manipulating the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter, users can view shipment addresses associated with different virtual instances, potentially exposing sensitive information across the platform.

Affected Version(s)

DXP 2023.Q4.0 <= 2023.Q4.5

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Oct 13, 2025
Vulnerability Reserved
Oct 9, 2025

Credit

foobar7

JSON