CVE-2025-62243: Liferay Publications is vulnerable to Incorrect Authorization

The vulnerability is an Insecure Direct Object Reference (IDOR) within the Liferay Publications feature, affecting comment management. The root cause is a failure to enforce proper authorization checks in the backend MVCResourceCommand classes that handle viewing, updating, and deleting comments.

1. Viewing Comments (GetCTCommentsMVCResourceCommand): The getCTCommentsJSONObject method fetched comments using a ctCollectionId from the request without checking if the user had VIEW permissions on that collection. This allowed any authenticated user to read comments from any publication.

2. Editing Comments (UpdateCTCommentMVCResourceCommand): The doServeResource method allowed a user to update a comment's content based on its ctCommentId. It did not verify that the user making the request was the original author of the comment, allowing unauthorized modification of any comment.

3. Deleting Comments (DeleteCTCommentMVCResourceCommand): Similarly, the doServeResource method for deleting comments only required a ctCommentId. It lacked a check to ensure the request came from the comment's author or an administrator, allowing any authenticated user to delete any comment.

The patches fix these issues by adding the necessary permission checks. For viewing, it now checks for VIEW permission on the collection. For editing and deleting, it verifies that the user's ID matches the comment's author ID or that the user has administrative privileges. The identified vulnerable functions are the doServeResource methods in these command classes, as they are the entry points for the vulnerable operations.