N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62242

GHSA ID

GHSA-3cm9-jrf5-h2cx

EPSS Score

CWE

CWE-639

Published

10/13/2025

Updated

10/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62242

CVE-2025-62242: Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key

Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62242

GHSA ID

GHSA-3cm9-jrf5-h2cx

EPSS Score

CWE

CWE-639

Published

10/13/2025

Updated

10/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay:com.liferay.change.tracking.web	maven	< 2.0.120	2.0.120

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patches reveals vulnerabilities within the com.liferay.change.tracking.web module, specifically in the UpdateCTCommentMVCResourceCommand.doServeResource method. The patches fix both a CSRF vulnerability and an improper access control issue. It is important to note that the provided CVE description refers to an Insecure Direct Object Reference (IDOR) vulnerability in a different module (com.liferay.account.admin.web) and is associated with a different internal issue tracker ID (LPE-17932 vs. LPD-15347 in the commits). Therefore, the identified vulnerable function and the reasoning are based strictly on the provided commit data, which appears to be for a different vulnerability than the one described in the CVE title and description. The root cause of the vulnerability fixed by the patches is a combination of missing CSRF protection and inadequate permission checks, allowing unauthorized modification of data.

Vulnerable functions

com.liferay.change.tracking.web.internal.portlet.action.UpdateCTCommentMVCResourceCommand.doServeResource

modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/action/UpdateCTCommentMVCResourceCommand.java

The `doServeResource` method had two vulnerabilities. First, it was susceptible to Cross-Site Request Forgery (CSRF) because it did not verify the HTTP method, allowing state-changing operations (like adding or updating comments) to be triggered by a simple GET request. Second, it had an insufficient permission check, only verifying if a user had `VIEW` permissions before allowing them to modify comment data. This could lead to an escalation of privileges where a user with read-only access could perform write operations.

WAF Protection Rules

WAF Rule

Ins**ur* *ir**t O*j**t R***r*n** (I*OR) vuln*r**ility wit* ***ount ***r*ss*s in Li**r*y Port*l *.*.*.* t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.*, *n* *.* ** t*rou** up**t* ** *llows r*mot* *ut**nti**t

Reasoning

T** *n*lysis o* t** provi*** p*t***s r*v**ls vuln*r**iliti*s wit*in t** `*om.li**r*y.***n**.tr**kin*.w**` mo*ul*, sp**i*i**lly in t** `Up**t**T*omm*ntMV*R*sour***omm*n*.*oS*rv*R*sour**` m*t*o*. T** p*t***s *ix *ot* * *SR* vuln*r**ility *n* *n improp*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62242: Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI