CVE-2025-62252
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-12-12
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | to 7.4 (inc) |
| liferay | digital_experience_platform | From 2023.Q3.1 (inc) to 2023.Q3.10 (inc) |
| liferay | digital_experience_platform | From 2023.q4.0 (inc) to 2023.q4.6 (exc) |
| liferay | liferay_portal | From 7.1.0 (inc) to 7.4.3.112 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in Liferay Portal and Liferay DXP versions specified. It allows a remote authenticated user in one virtual instance to assign an organization to a user in a different virtual instance by manipulating the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized cross-instance assignment of organizations to users, potentially leading to unauthorized access or modification of user organizational data across virtual instances within Liferay Portal or DXP environments.