Moderate severityNVD Advisory· Published Sep 22, 2025· Updated Sep 23, 2025
CVE-2025-43810
CVE-2025-43810
Description
Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a note to an order in a different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.commerce:com.liferay.commerce.serviceMaven | < 11.0.164 | 11.0.164 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
272259fbf5a81LPD-15996 Match param name in method
1 file changed · +2 −2
modules/apps/commerce/commerce-service/src/main/java/com/liferay/commerce/internal/security/permission/resource/CommerceOrderModelResourcePermissionLogic.java+2 −2 modified@@ -267,14 +267,14 @@ private boolean _containsManageNotes( } AccountEntry accountEntry = commerceOrder.getAccountEntry(); - String manageNotesPermission = restricted ? + String actionIds = restricted ? CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES : CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_NOTES; if (_hasRoleAccountSupplier(permissionChecker, commerceOrder) && _hasPermission( permissionChecker, accountEntry.getAccountEntryGroupId(), - manageNotesPermission)) { + actionIds)) { return true; }
9fad6a23b3c0LPD-15996 Order notes fixed permission checking
2 files changed · +31 −44
modules/apps/commerce/commerce-service/src/main/java/com/liferay/commerce/internal/security/permission/resource/CommerceOrderModelResourcePermissionLogic.java+11 −0 modified@@ -267,6 +267,17 @@ private boolean _containsManageNotes( } AccountEntry accountEntry = commerceOrder.getAccountEntry(); + String manageNotesPermission = restricted ? + CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES : + CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_NOTES; + + if (_hasRoleAccountSupplier(permissionChecker, commerceOrder) && + _hasPermission( + permissionChecker, accountEntry.getAccountEntryGroupId(), + manageNotesPermission)) { + + return true; + } return _hasAncestorPermission( permissionChecker, accountEntry.getAccountEntryGroupId(),
modules/apps/commerce/commerce-service/src/main/java/com/liferay/commerce/service/impl/CommerceOrderNoteServiceImpl.java+20 −44 modified@@ -6,15 +6,13 @@ package com.liferay.commerce.service.impl; import com.liferay.commerce.constants.CommerceOrderActionKeys; -import com.liferay.commerce.constants.CommerceOrderConstants; import com.liferay.commerce.model.CommerceOrder; import com.liferay.commerce.model.CommerceOrderNote; import com.liferay.commerce.service.base.CommerceOrderNoteServiceBaseImpl; import com.liferay.portal.aop.AopService; import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.security.permission.ActionKeys; import com.liferay.portal.kernel.security.permission.resource.ModelResourcePermission; -import com.liferay.portal.kernel.security.permission.resource.PortletResourcePermission; import com.liferay.portal.kernel.service.ServiceContext; import java.util.List; @@ -49,7 +47,7 @@ public CommerceOrderNote addCommerceOrderNote( CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES; } - _portletResourcePermission.check( + _commerceOrderModelResourcePermission.check( getPermissionChecker(), commerceOrderId, actionId); return commerceOrderNoteLocalService.addCommerceOrderNote( @@ -70,7 +68,7 @@ public CommerceOrderNote addOrUpdateCommerceOrderNote( CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES; } - _portletResourcePermission.check( + _commerceOrderModelResourcePermission.check( getPermissionChecker(), commerceOrderId, actionId); return commerceOrderNoteLocalService.addOrUpdateCommerceOrderNote( @@ -93,7 +91,7 @@ public void deleteCommerceOrderNote(long commerceOrderNoteId) CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES; } - _portletResourcePermission.check( + _commerceOrderModelResourcePermission.check( getPermissionChecker(), commerceOrderNote.getCommerceOrderId(), actionId); @@ -111,7 +109,7 @@ public CommerceOrderNote fetchByExternalReferenceCode( externalReferenceCode, companyId); if (commerceOrderNote != null) { - _portletResourcePermission.check( + _commerceOrderModelResourcePermission.check( getPermissionChecker(), commerceOrderNote.getCommerceOrderId(), CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES); } @@ -155,15 +153,11 @@ public List<CommerceOrderNote> getCommerceOrderNotes( if (restricted) { actionId = CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES; - - _portletResourcePermission.check( - getPermissionChecker(), commerceOrderId, actionId); - } - else { - _commerceOrderModelResourcePermission.check( - getPermissionChecker(), commerceOrderId, actionId); } + _commerceOrderModelResourcePermission.check( + getPermissionChecker(), commerceOrderId, actionId); + return commerceOrderNoteLocalService.getCommerceOrderNotes( commerceOrderId, restricted); } @@ -178,15 +172,11 @@ public List<CommerceOrderNote> getCommerceOrderNotes( if (restricted) { actionId = CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES; - - _portletResourcePermission.check( - getPermissionChecker(), commerceOrderId, actionId); - } - else { - _commerceOrderModelResourcePermission.check( - getPermissionChecker(), commerceOrderId, actionId); } + _commerceOrderModelResourcePermission.check( + getPermissionChecker(), commerceOrderId, actionId); + return commerceOrderNoteLocalService.getCommerceOrderNotes( commerceOrderId, restricted, start, end); } @@ -196,7 +186,7 @@ public List<CommerceOrderNote> getCommerceOrderNotes( long commerceOrderId, int start, int end) throws PortalException { - _portletResourcePermission.check( + _commerceOrderModelResourcePermission.check( getPermissionChecker(), commerceOrderId, CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES); @@ -208,7 +198,7 @@ public List<CommerceOrderNote> getCommerceOrderNotes( public int getCommerceOrderNotesCount(long commerceOrderId) throws PortalException { - _portletResourcePermission.check( + _commerceOrderModelResourcePermission.check( getPermissionChecker(), commerceOrderId, CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES); @@ -226,15 +216,11 @@ public int getCommerceOrderNotesCount( if (restricted) { actionId = CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES; - - _portletResourcePermission.check( - getPermissionChecker(), commerceOrderId, actionId); - } - else { - _commerceOrderModelResourcePermission.check( - getPermissionChecker(), commerceOrderId, actionId); } + _commerceOrderModelResourcePermission.check( + getPermissionChecker(), commerceOrderId, actionId); + return commerceOrderNoteLocalService.getCommerceOrderNotesCount( commerceOrderId, restricted); } @@ -255,7 +241,7 @@ public CommerceOrderNote updateCommerceOrderNote( CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES; } - _portletResourcePermission.check( + _commerceOrderModelResourcePermission.check( getPermissionChecker(), commerceOrderNote.getCommerceOrderId(), actionId); @@ -276,16 +262,11 @@ private void _checkCommerceOrderNotePermissions( if (commerceOrderNote.isRestricted()) { actionId = CommerceOrderActionKeys.MANAGE_COMMERCE_ORDER_RESTRICTED_NOTES; - - _portletResourcePermission.check( - getPermissionChecker(), commerceOrderNote.getCommerceOrderId(), - actionId); - } - else { - _commerceOrderModelResourcePermission.check( - getPermissionChecker(), commerceOrderNote.getCommerceOrderId(), - actionId); } + + _commerceOrderModelResourcePermission.check( + getPermissionChecker(), commerceOrderNote.getCommerceOrderId(), + actionId); } @Reference( @@ -294,9 +275,4 @@ private void _checkCommerceOrderNotePermissions( private ModelResourcePermission<CommerceOrder> _commerceOrderModelResourcePermission; - @Reference( - target = "(resource.name=" + CommerceOrderConstants.RESOURCE_NAME + ")" - ) - private PortletResourcePermission _portletResourcePermission; - } \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-f372-9rcj-8w2cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43810ghsaADVISORY
- github.com/liferay/liferay-portal/commit/72259fbf5a81596e99b615df480dee0b0fa3aa09ghsaWEB
- github.com/liferay/liferay-portal/commit/9fad6a23b3c04146ef80a59b056f24b17cc2e721ghsaWEB
- liferay.atlassian.net/browse/LPE-17935ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43810ghsaWEB
News mentions
0No linked articles in our index yet.