CVE-2025-62241: 
Java vulnerability analysis and mitigation

CVE-2025-62241 is an Insecure Direct Object Reference (IDOR) vulnerability discovered in Liferay DXP versions 2023.Q4.1 through 2023.Q4.5. The vulnerability was reported by security researcher foobar7 and was published on November 8, 2024. This security flaw allows remote authenticated users to view shipment addresses from different virtual instances by manipulating the comliferaycommerceorderwebinternalportletCommerceOrderPortletcommerceOrderId parameter ([Liferay Advisory](https://liferay.dev/portal/security/known-vulnerabilities/-/assetpublisher/jekt/content/CVE-2025-62241)).

The vulnerability has been assigned a CVSS v4.0 score of 5.3 (Medium) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The issue specifically involves the manipulation of the commerceOrderId parameter in the Commerce Order Portlet, which can be exploited to access shipment addresses across different virtual instances (NVD Database).

When exploited, this vulnerability allows authenticated users to view shipment addresses belonging to different virtual instances, potentially exposing sensitive customer shipping information across instance boundaries (Liferay Advisory).

The vulnerability has been patched in the following versions: Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, and Liferay DXP 2023.Q4.6. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Liferay Advisory).