CVE-2025-62252: Liferay is Vulnerable to Authorization Bypass Through User-Controlled Key

The vulnerability described is an IDOR in Liferay Portal, allowing an authenticated user to assign users from a different virtual instance to an organization. The provided patches address this issue. The core of the fix is in the e7b6074a320a8872ffe9423c3d1a64dada4f3238 commit, which modifies the com.liferay.portal.service.impl.UserServiceImpl class. Specifically, the addOrganizationUsers method is patched to include a new validation step by calling validateUserIds(userIds). This new method, validateUserIds, iterates through the user IDs and calls getUserById for each. In Liferay's architecture, service calls like getUserById are scoped to the current user's virtual instance (company). Therefore, attempting to retrieve a user from a different instance would fail, preventing the cross-instance user assignment. The vulnerable function is addOrganizationUsers because it lacked this crucial validation. The second commit, 8c3fc088f82ffc981a21935e8b6dcf8f36e27152, adds an integration test that confirms the fix by attempting the malicious action and asserting that it fails as expected. This confirms that addOrganizationUsers was the entry point for the vulnerability at the service layer.