CVE-2025-43810 is an Insecure Direct Object Reference (IDOR) vulnerability identified in Liferay Portal versions 7.3.5 through 7.4.3.112 and multiple versions of Liferay DXP including 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92. The vulnerability arises from improper authorization controls in the commerce order notes functionality. Specifically, remote authenticated users can exploit the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter to add notes to orders belonging to different virtual instances than their own. This is a classic example of CWE-639: Authorization Bypass Through User-Controlled Key, where the application fails to verify that the user has permission to access or modify the referenced object. The vulnerability does not require user interaction beyond authentication and can be exploited over the network with low complexity. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, no user interaction, and low attack complexity, but requiring privileges (authenticated user). The impact primarily affects the integrity of order data, allowing unauthorized modification of commerce order notes across virtual instances, potentially leading to confusion, fraudulent order manipulation, or disruption of business processes. Confidentiality and availability impacts are minimal or none. There are no known exploits in the wild as of the publication date, and no official patches are linked yet. The vulnerability affects multi-tenant deployments where virtual instances are used to separate customer or organizational data within the same Liferay Portal installation. This cross-instance authorization bypass can undermine tenant isolation and trust in the platform's security controls.

For European organizations using Liferay Portal or Liferay DXP in multi-tenant or virtual instance configurations, this vulnerability poses a risk to the integrity of commerce order data. Attackers with valid credentials in one tenant can manipulate order notes in other tenants, potentially leading to fraudulent order modifications, misinformation, or disruption of order processing workflows. This can damage business relationships, cause financial losses, and erode customer trust. Since Liferay is widely used in sectors such as government, education, and enterprise portals across Europe, the impact could extend to critical services and sensitive commercial operations. The vulnerability does not directly expose confidential data or cause denial of service, but the integrity compromise in commerce systems can have downstream effects on billing, compliance, and audit trails. Organizations with strict regulatory requirements under GDPR must consider the risk of unauthorized data manipulation and ensure proper incident response and remediation to maintain compliance.

1. Immediate mitigation involves restricting access to the commerce order notes functionality to only trusted users and roles until a patch is available. 2. Implement strict access control checks at the application layer to verify that authenticated users can only modify orders within their own virtual instance. 3. Monitor logs for unusual activity involving cross-instance order note modifications to detect potential exploitation attempts. 4. If possible, isolate virtual instances more strictly at the infrastructure or application configuration level to prevent cross-tenant access. 5. Engage with Liferay support or security advisories to obtain and apply official patches or updates as soon as they are released. 6. Conduct thorough testing of the commerce order note feature post-patching to confirm the vulnerability is remediated. 7. Educate administrators and developers about the risks of IDOR vulnerabilities and enforce secure coding practices to prevent similar authorization bypass issues in customizations or integrations.