CVE-2025-62242

MEDIUM

Liferay Portal 7.4.3.4-7.4.3.111 & DXP 2023.Q4.0-2023.Q4.5, 2023.Q3.1-2023.Q3.8, 7.4 GA-92 - IDOR via Account Address

Title source: llm
STIX 2.1

Description

Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter.

References (1)

Core 1

Scores

CVSS v3 4.3
EPSS 0.0026
EPSS Percentile 17.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (18)
com.liferay/com.liferay.change.tracking.web 0 - 2.0.120Maven
liferay/digital_experience_platform 7.4
liferay/digital_experience_platform 2023.q3.1
liferay/digital_experience_platform 2023.q3.2
liferay/digital_experience_platform 2023.q3.3
liferay/digital_experience_platform 2023.q3.4
liferay/digital_experience_platform 2023.q3.5
liferay/digital_experience_platform 2023.q3.6
liferay/digital_experience_platform 2023.q3.7
liferay/digital_experience_platform 2023.q3.8
... and 8 more
Published Oct 13, 2025
Tracked Since Feb 18, 2026