CVE-2025-62247: Liferay Portal and DXP are Missing Authorization in Collection Provider

The security vulnerability described as 'Missing Authorization in Collection Provider' in Liferay Portal is directly addressed by the provided commit 019d703943ef58fb7bd3f30fe680c02c2756f86b. The analysis of this commit reveals a critical change in the SXPBlueprintInfoCollectionProvider.java file.

The core of the vulnerability is located in the isAvailable() method. Before the fix, this method only verified if a specific feature flag (LPS-129412) was active. It did not perform any authorization checks to ensure that the user accessing a 'Blueprint' was authorized to do so. Specifically, it was missing a check to confirm that the Blueprint belonged to the same Liferay instance (or 'company') as the user making the request.

The patch introduces this missing authorization check. The updated isAvailable() method now includes a condition that compares the companyId of the sxpBlueprint with the companyId of the currently authenticated user, retrieved via CompanyThreadLocal.getCompanyId(). This ensures that a Blueprint is only considered 'available' if it belongs to the same instance the user is logged into, effectively closing the cross-tenant data access flaw.

Therefore, the com.liferay.search.experiences.internal.info.collection.provider.SXPBlueprintInfoCollectionProvider.isAvailable function is the precise location of the vulnerability. During exploitation, a call to this function would return true for a Blueprint from a different instance, which would then allow unauthorized read access. A runtime profiler would show this function being called as part of the process of listing or accessing Collection Providers.