CVE-2025-43810: 
Java vulnerability analysis and mitigation

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in Liferay Portal and DXP systems, identified as CVE-2025-43810. The vulnerability affects multiple versions including Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92. The vulnerability was reported by security researcher foobar7 and was published on November 8, 2024 (Liferay Security).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue specifically affecting commerce order notes functionality. It allows remote authenticated users from one virtual instance to add a note to an order in a different virtual instance by manipulating the comliferaycommerceorderwebinternalportletCommerceOrderPortlet_commerceOrderId parameter. The vulnerability has been assigned a CVSS v4.0 score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The weakness is categorized as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD Database).

The vulnerability allows authenticated users to bypass virtual instance isolation in Liferay's commerce system, potentially compromising the integrity of order data by allowing unauthorized note additions across different virtual instances (Liferay Security).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal 7.4.3.113, Liferay DXP 2024.Q2.0, Liferay DXP 2024.Q1.1, or Liferay DXP 2023.Q4.9 (Liferay Security).