CVE-2025-62241

CWE-639 — Insecure Direct Object Reference4 documents4 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 85.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Digital Experience Platform

Timeline

PublishedOct 13

Description

Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Mavencom.liferay.commerce:com.liferay.commerce.order.content.web< 4.0.114

▶CVEListV5liferay/dxp2023.Q4.0 — 2023.Q4.5

▶NVDliferay/digital_experience_platform5 versions+4

🔴Vulnerability Details

GHSA

Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key↗2025-10-13

▶

CVEList

CVE-2025-62241: Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023↗2025-10-13

▶

OSV

Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key↗2025-10-13

▶