CVE-2025-62242 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Liferay Portal and Liferay DXP products. The flaw exists in the handling of the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter, which is used to reference account addresses. Due to insufficient authorization checks, a remote authenticated user can manipulate this parameter to access address data belonging to other accounts without proper permissions. This vulnerability affects Liferay Portal versions from 7.4.3.4 up to 7.4.3.111 and multiple Liferay DXP 2023 releases (Q3.1 through Q3.8, Q4.0 through Q4.5, and 7.4 GA through update 92). Exploitation requires the attacker to be authenticated but does not require additional user interaction. The vulnerability can lead to unauthorized disclosure of sensitive personal or organizational address information, potentially violating privacy regulations and exposing organizations to data leakage risks. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required beyond authentication (PR:L), no user interaction (UI:N), and limited impact on confidentiality (VC:L), with no impact on integrity or availability. No public exploits or patches are currently available, so organizations must rely on compensating controls until official fixes are released.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive address data stored within Liferay Portal or DXP environments. Unauthorized access to account addresses can lead to privacy breaches, non-compliance with GDPR and other data protection regulations, and potential reputational damage. Organizations in sectors such as finance, healthcare, government, and e-commerce that rely on Liferay for customer or partner portals are particularly vulnerable. The exposure of address information could facilitate targeted phishing, social engineering attacks, or identity theft. While the vulnerability does not affect system integrity or availability, the breach of confidentiality alone can have severe legal and financial consequences under European data protection laws. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with weak credential management or insider threats.

1. Immediately audit and restrict access controls on the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter to ensure users can only access their own account addresses. 2. Implement strict role-based access control (RBAC) policies within Liferay to limit which authenticated users can view or modify account address data. 3. Monitor application logs and access patterns for unusual or unauthorized attempts to access addressId parameters belonging to other accounts. 4. Enforce multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. 5. Until official patches are released, consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious parameter tampering. 6. Educate administrators and users about the risk and encourage prompt reporting of suspicious activity. 7. Plan for timely application of vendor patches once available and verify patch effectiveness through penetration testing or code review.