CVE-2025-62244: CWE-639 Authorization Bypass Through User-Controlled Key in Liferay Portal
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.
AI Analysis
Technical Summary
CVE-2025-62244 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Liferay Portal and Liferay DXP products. The flaw exists in the Publications component of Liferay Portal versions 7.3.1 through 7.4.3.111 and several 2023 Q3 and Q4 releases of Liferay DXP. The vulnerability arises because the application improperly validates the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter, which is user-controllable. This parameter is used to identify the change tracking collection associated with a publication. Due to insufficient authorization checks, an authenticated attacker can manipulate this parameter to gain unauthorized access to the edit page of publications they should not have permission to modify. This constitutes an insecure direct object reference (IDOR) vulnerability, allowing unauthorized viewing and potentially unauthorized editing of publication content. The vulnerability requires the attacker to be authenticated and to interact with the application, but no elevated privileges or complex exploitation techniques are necessary. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L means low privileges), user interaction required (UI:A), and limited impact on confidentiality (VC:L), with no impact on integrity or availability. No public exploits or active exploitation have been reported as of the publication date. The vulnerability affects multiple versions, including Liferay Portal 7.3.1 and up to 7.4.3.111, as well as Liferay DXP 2023 Q3 and Q4 releases, indicating a broad exposure for organizations using these versions.
Potential Impact
For European organizations, the impact of CVE-2025-62244 primarily concerns unauthorized access to sensitive publication editing interfaces within Liferay Portal or DXP environments. This could lead to unauthorized disclosure of unpublished or internal content, potentially causing reputational damage or leakage of sensitive business information. Although the vulnerability does not directly affect data integrity or system availability, unauthorized access to editing pages could be leveraged in combination with other vulnerabilities or insider threats to escalate privileges or manipulate content. Organizations relying on Liferay Portal for content management, intranet portals, or customer-facing websites may face compliance risks under GDPR if sensitive personal data is exposed. The requirement for authentication limits exposure to internal or partner users, but phishing or credential compromise could increase risk. The medium severity rating suggests moderate risk, but the broad usage of Liferay Portal in European public and private sectors makes this a relevant threat. Without timely patching or mitigation, attackers with valid credentials could exploit this vulnerability to bypass authorization controls, undermining trust in content governance processes.
Mitigation Recommendations
To mitigate CVE-2025-62244, organizations should first verify if they are running affected versions of Liferay Portal or DXP and prioritize upgrading to patched versions once available. In the absence of official patches, implement strict access controls and monitoring around publication editing interfaces. Enforce the principle of least privilege by restricting user roles that can access the Publications portlet. Conduct thorough code reviews or configuration audits to ensure that authorization checks are properly enforced on the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter and similar user-controlled inputs. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious parameter tampering attempts. Enhance logging and alerting for access to publication edit pages, correlating with user authentication events to detect anomalous behavior. Educate users about phishing risks to reduce credential compromise likelihood. Finally, consider implementing multi-factor authentication (MFA) to strengthen authentication security, reducing the risk that attackers can exploit this vulnerability even if credentials are stolen.
Affected Countries
Germany, France, United Kingdom, Netherlands, Belgium, Italy, Spain, Sweden, Finland, Poland
CVE-2025-62244: CWE-639 Authorization Bypass Through User-Controlled Key in Liferay Portal
Description
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.
AI-Powered Analysis
Technical Analysis
CVE-2025-62244 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Liferay Portal and Liferay DXP products. The flaw exists in the Publications component of Liferay Portal versions 7.3.1 through 7.4.3.111 and several 2023 Q3 and Q4 releases of Liferay DXP. The vulnerability arises because the application improperly validates the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter, which is user-controllable. This parameter is used to identify the change tracking collection associated with a publication. Due to insufficient authorization checks, an authenticated attacker can manipulate this parameter to gain unauthorized access to the edit page of publications they should not have permission to modify. This constitutes an insecure direct object reference (IDOR) vulnerability, allowing unauthorized viewing and potentially unauthorized editing of publication content. The vulnerability requires the attacker to be authenticated and to interact with the application, but no elevated privileges or complex exploitation techniques are necessary. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L means low privileges), user interaction required (UI:A), and limited impact on confidentiality (VC:L), with no impact on integrity or availability. No public exploits or active exploitation have been reported as of the publication date. The vulnerability affects multiple versions, including Liferay Portal 7.3.1 and up to 7.4.3.111, as well as Liferay DXP 2023 Q3 and Q4 releases, indicating a broad exposure for organizations using these versions.
Potential Impact
For European organizations, the impact of CVE-2025-62244 primarily concerns unauthorized access to sensitive publication editing interfaces within Liferay Portal or DXP environments. This could lead to unauthorized disclosure of unpublished or internal content, potentially causing reputational damage or leakage of sensitive business information. Although the vulnerability does not directly affect data integrity or system availability, unauthorized access to editing pages could be leveraged in combination with other vulnerabilities or insider threats to escalate privileges or manipulate content. Organizations relying on Liferay Portal for content management, intranet portals, or customer-facing websites may face compliance risks under GDPR if sensitive personal data is exposed. The requirement for authentication limits exposure to internal or partner users, but phishing or credential compromise could increase risk. The medium severity rating suggests moderate risk, but the broad usage of Liferay Portal in European public and private sectors makes this a relevant threat. Without timely patching or mitigation, attackers with valid credentials could exploit this vulnerability to bypass authorization controls, undermining trust in content governance processes.
Mitigation Recommendations
To mitigate CVE-2025-62244, organizations should first verify if they are running affected versions of Liferay Portal or DXP and prioritize upgrading to patched versions once available. In the absence of official patches, implement strict access controls and monitoring around publication editing interfaces. Enforce the principle of least privilege by restricting user roles that can access the Publications portlet. Conduct thorough code reviews or configuration audits to ensure that authorization checks are properly enforced on the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter and similar user-controlled inputs. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious parameter tampering attempts. Enhance logging and alerting for access to publication edit pages, correlating with user authentication events to detect anomalous behavior. Educate users about phishing risks to reduce credential compromise likelihood. Finally, consider implementing multi-factor authentication (MFA) to strengthen authentication security, reducing the risk that attackers can exploit this vulnerability even if credentials are stolen.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Liferay
- Date Reserved
- 2025-10-09T20:58:49.217Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68ed375065e259ed7ed7d000
Added to database: 10/13/2025, 5:30:56 PM
Last enriched: 10/13/2025, 5:31:08 PM
Last updated: 10/13/2025, 8:12:45 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-38002: CWE-862 Missing Authorization in Liferay Portal
CriticalCVE-2025-62242: CWE-639 Authorization Bypass Through User-Controlled Key in Liferay Portal
MediumCVE-2025-62241: CWE-639 Authorization Bypass Through User-Controlled Key in Liferay DXP
MediumCVE-2025-61775: CWE-613: Insufficient Session Expiration in Whimsies-YAT Vickey
MediumCVE-2025-62243: CWE-863 Incorrect Authorization in Liferay Portal
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.