CVE-2025-43827: 
Java vulnerability analysis and mitigation

Insecure Direct Object Reference (IDOR) vulnerability (CVE-2025-43827) was discovered in Liferay Portal and DXP systems. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.117 and multiple DXP versions including 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, and 2023.Q3.1 through 2023.Q3.10. The vulnerability was disclosed on November 7, 2024, and was reported by security researcher foobar7 (Liferay Advisory).

The vulnerability is an Insecure Direct Object Reference (IDOR) issue that affects the audit events functionality. It allows authenticated users to view audit events from different virtual instances by manipulating the comliferayportalsecurityauditwebportletAuditPortlet_auditEventId parameter. The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The weakness has been categorized as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

The vulnerability allows authenticated users to bypass virtual instance boundaries and access audit events from other virtual instances, potentially exposing sensitive audit information to unauthorized users (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.118 and Liferay DXP versions 2024.Q1.6 and 2024.Q2.0. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).