Vulnerability DatabaseCVE-2025-62252
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-62252
October 13, 2025
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.
Affected Packages
com.liferay.portal:com.liferay.portal.impl (JAVA):
Affected version(s) >=1.0.0 <99.0.0
Fix Suggestion:
Update to version 99.0.0
Related ResourcesĀ (6)
https://github.com/liferay/liferay-portal/commit/e7b6074a320a8872ffe9423c3d1a64dada4f3238
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62252
https://github.com/liferay/liferay-portal
https://nvd.nist.gov/vuln/detail/CVE-2025-62252
https://github.com/liferay/liferay-portal/commit/8c3fc088f82ffc981a21935e8b6dcf8f36e27152
https://liferay.atlassian.net/browse/LPE-17941
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Authorization Bypass Through User-Controlled Key
CWE-639
EPSS
Base Score:
0.05