CVE-2025-62242

CWE-639 — Insecure Direct Object Reference4 documents4 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 85.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedOct 13

Description

Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶NVDliferay/liferay_portal7.4.1 — 7.4.3.112

▶CVEListV5liferay/portal7.4.3.4 — 7.4.3.111

▶Mavencom.liferay:com.liferay.change.tracking.web< 2.0.120

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+2

▶NVDliferay/digital_experience_platform16 versions+15

🔴Vulnerability Details

CVEList

CVE-2025-62242: Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7↗2025-10-13

▶

GHSA

Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key↗2025-10-13

▶

OSV

Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key↗2025-10-13

▶