CVE-2025-62243: 
Java vulnerability analysis and mitigation

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in Liferay Portal and DXP's Publications feature, identified as CVE-2025-62243. The vulnerability affects Liferay Portal versions 7.4.1 through 7.4.3.112, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92. The vulnerability was disclosed on September 16, 2024, and was reported by security researcher foobar7 (Liferay Security).

The vulnerability allows remote authenticated attackers to view and edit publication comments through two attack vectors. First, attackers can view publication comments by exploiting the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter. Second, due to improper permission checking, attackers can edit publication comments using crafted URLs. The vulnerability has been assigned a CVSS v4.0 score of 5.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (Liferay Security).

The vulnerability enables authenticated users to bypass intended access controls, potentially allowing unauthorized viewing and modification of publication comments. This could lead to information disclosure and unauthorized content manipulation within affected Liferay installations (Miggo Security).

The vulnerability has been fixed in Liferay Portal version 7.4.3.113 and Liferay DXP versions 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, and 2023.Q3.9. Organizations using affected versions should upgrade to the fixed versions to mitigate the vulnerability (Liferay Security).