CVE-2025-62243 is an authorization bypass vulnerability classified under CWE-863, affecting Liferay Portal versions 7.4.1 through 7.4.3.112 and Liferay DXP releases from 2023 Q3 and Q4 series up to update 92. The flaw arises from insufficient permission checks on the Publications component, specifically the handling of the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter. Remote authenticated attackers can exploit this by crafting URLs that allow them to view and edit publication comments they should not have access to. This insecure direct object reference (IDOR) vulnerability compromises the integrity and confidentiality of publication comments, potentially enabling unauthorized content manipulation or information disclosure. The vulnerability does not require user interaction, and no elevated privileges beyond authentication are necessary, making it easier to exploit within compromised or legitimate user accounts. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, no user interaction, and limited impact on confidentiality and integrity but no availability impact. No public exploits or patches have been reported at the time of disclosure, emphasizing the need for proactive mitigation. The vulnerability affects multiple Liferay versions widely used in enterprise content management and digital experience platforms, posing a risk to organizations relying on these systems for publication workflows and collaboration.

For European organizations, this vulnerability could lead to unauthorized disclosure and modification of publication comments within Liferay Portal or DXP environments. This may result in reputational damage, misinformation, or manipulation of official communications, especially in sectors like government, education, and media where Liferay is commonly deployed. The integrity of published content can be compromised, potentially undermining trust in digital services. Since the vulnerability requires authentication but no elevated privileges, insider threats or compromised user accounts could be leveraged to exploit this flaw. The impact on confidentiality is limited to publication comments, but the integrity impact is more significant as unauthorized edits can alter the meaning or intent of communications. Availability is not affected, so service disruption is unlikely. The medium CVSS score reflects these moderate risks. Organizations with regulatory obligations around data integrity and information security, such as GDPR compliance, may face compliance risks if unauthorized data modifications occur.

Organizations should immediately assess their Liferay Portal and DXP deployments to identify affected versions. Since no official patches are currently available, temporary mitigations include restricting access to the Publications component to only trusted users and implementing strict access controls and monitoring on publication comment editing functionalities. Web application firewalls (WAFs) can be configured to detect and block suspicious requests containing manipulated _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameters. Audit logs should be enabled and regularly reviewed to detect unauthorized access or edits. User accounts should enforce strong authentication mechanisms, and compromised accounts should be promptly disabled. Organizations should subscribe to Liferay security advisories for timely patch releases and apply updates as soon as they become available. Additionally, conducting internal penetration testing focusing on IDOR vulnerabilities in Liferay components can help identify similar authorization weaknesses.