Miggo Logo
Miggo Vulnerability Database
CVE-2025-62244

CVE-2025-62244: Liferay Publications vulnerable to Authorization Bypass Through User-Controlled Key

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-62244
GHSA ID
GHSA-2hfj-jv6q-762v
EPSS Score
-
CWE
CWE-639
Published
10/13/2025
Updated
10/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.liferay:com.liferay.change.tracking.webmaven< 2.0.1222.0.122

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is an Insecure Direct Object Reference (IDOR) in the Liferay Portal's Publications feature, as described in CVE-2025-62244. An authenticated user could access the edit page of any publication by manipulating the ctCollectionId request parameter.

The root cause is the missing authorization check in the com.liferay.change.tracking.web.internal.portlet.action.EditCTCollectionMVCRenderCommand.render method. This method would fetch and prepare the publication for editing based solely on the user-provided ID, without verifying if the user had the rights to perform such an action.

The analysis of the provided patches, specifically commit 31cf99363bf615f4a3383ffcc78d800de3fa2465, confirms this. The patch introduces a permission check using _ctCollectionModelResourcePermission.check(...) within the render method to validate the user's UPDATE permissions before proceeding. This directly mitigates the IDOR vulnerability.

The com.liferay.change.tracking.web.internal.portlet.PublicationsPortlet.render method was also identified as relevant. It acts as the entry point for the portlet and its modification in the patch to handle security exceptions indicates it is part of the vulnerable execution path. When the vulnerability is exploited, a profiler would likely show PublicationsPortlet.render calling EditCTCollectionMVCRenderCommand.render, where the lack of permission checking occurs.

Vulnerable functions

com.liferay.change.tracking.web.internal.portlet.action.EditCTCollectionMVCRenderCommand.render
modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/action/EditCTCollectionMVCRenderCommand.java
This function is responsible for rendering the edit page for a publication. It retrieves the `ctCollectionId` directly from the user-controlled request parameters. Before the patch, it failed to verify if the user had the necessary permissions to edit the specified publication, leading to an Insecure Direct Object Reference (IDOR) vulnerability. An attacker could supply any valid `ctCollectionId` and access the edit page for that publication. The patch adds a permission check to fix this.
com.liferay.change.tracking.web.internal.portlet.PublicationsPortlet.render
modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/PublicationsPortlet.java
This function is the main render method for the Publications portlet and serves as the entry point. It delegates the rendering of the edit page to `EditCTCollectionMVCRenderCommand`. The patch modifies its exception handling to gracefully manage authorization failures from the newly added permission check in the delegated command. While not the source of the vulnerability itself, it is a key part of the execution flow when the vulnerability is triggered.

WAF Protection Rules

WAF Rule

Ins**ur* *ir**t o*j**t r***r*n** (I*OR) vuln*r**ility in Pu*li**tions in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.*, *n* *.* ** t*rou** up**t* **, *n* *.* ** t*rou** up**t* ** *llo

Reasoning

T** vuln*r**ility is *n Ins**ur* *ir**t O*j**t R***r*n** (I*OR) in t** Li**r*y Port*l's Pu*li**tions ***tur*, *s **s*ri*** in *V*-****-*****. *n *ut**nti**t** us*r *oul* ****ss t** **it p*** o* *ny pu*li**tion *y m*nipul*tin* t** `*t*oll**tionI*` r*q