VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Sep 30, 2025· Updated Sep 30, 2025

CVE-2025-43827

CVE-2025-43827

Description

Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.portal.security.audit.webMaven
>= 5.0.1, < 5.0.335.0.33
com.liferay:com.liferay.portal.security.audit.storage.serviceMaven
>= 6.0.4, < 6.0.416.0.41

Affected products

2

Patches

3
d85c2f24397d

LPD-16002 Minor changes

https://github.com/liferay/liferay-portalBrian ChanApr 12, 2024via ghsa
commit
1 file changed · +9 3
  • modules/dxp/apps/portal-security-audit/portal-security-audit-web/src/main/java/com/liferay/portal/security/audit/web/internal/portlet/AuditPortlet.java+9 3 modified
    @@ -92,9 +92,15 @@ private void _checkCompanyAdmin(PortletRequest portletRequest)
 			AuditEvent auditEvent = AuditEventManagerUtil.fetchAuditEvent(
 				auditEventId);
 
-			if (permissionChecker.getCompanyId() != auditEvent.getCompanyId()) {
-				throw new PortletException(
-					"This event does not belong to this company");
+			if ((auditEvent != null) &&
+				(permissionChecker.getCompanyId() !=
+					auditEvent.getCompanyId())) {
+
+				PrincipalException principalException =
+					new PrincipalException.MustBeCompanyAdmin(
+						permissionChecker.getUserId());
+
+				throw new PortletException(principalException);
 			}
 		}
f99602a23ce1

LPD-16002 Prevent users without the right role to access events from another company

https://github.com/liferay/liferay-portalPedro Victor SilvestreApr 5, 2024via ghsa
commit
1 file changed · +4 4
  • modules/apps/portal-security-audit/portal-security-audit-storage-service/src/main/java/com/liferay/portal/security/audit/storage/service/impl/AuditEventServiceImpl.java+4 4 modified
    @@ -41,7 +41,7 @@ public List<AuditEvent> getAuditEvents(long companyId, int start, int end)
 
 		PermissionChecker permissionChecker = getPermissionChecker();
 
-		if (!(permissionChecker.isCompanyAdmin() ||
+		if (!(permissionChecker.isCompanyAdmin(companyId) ||
 			  _userLocalService.hasRoleUser(
 				  companyId, RoleConstants.ANALYTICS_ADMINISTRATOR,
 				  permissionChecker.getUserId(), true))) {
@@ -60,7 +60,7 @@ public List<AuditEvent> getAuditEvents(
 
 		PermissionChecker permissionChecker = getPermissionChecker();
 
-		if (!(permissionChecker.isCompanyAdmin() ||
+		if (!(permissionChecker.isCompanyAdmin(companyId) ||
 			  _userLocalService.hasRoleUser(
 				  companyId, RoleConstants.ANALYTICS_ADMINISTRATOR,
 				  permissionChecker.getUserId(), true))) {
@@ -83,7 +83,7 @@ public List<AuditEvent> getAuditEvents(
 
 		PermissionChecker permissionChecker = getPermissionChecker();
 
-		if (!(permissionChecker.isCompanyAdmin() ||
+		if (!(permissionChecker.isCompanyAdmin(companyId) ||
 			  _userLocalService.hasRoleUser(
 				  companyId, RoleConstants.ANALYTICS_ADMINISTRATOR,
 				  permissionChecker.getUserId(), true))) {
@@ -109,7 +109,7 @@ public List<AuditEvent> getAuditEvents(
 
 		PermissionChecker permissionChecker = getPermissionChecker();
 
-		if (!(permissionChecker.isCompanyAdmin() ||
+		if (!(permissionChecker.isCompanyAdmin(companyId) ||
 			  _userLocalService.hasRoleUser(
 				  companyId, RoleConstants.ANALYTICS_ADMINISTRATOR,
 				  permissionChecker.getUserId(), true))) {
a14427e23384

LPD-16002 Do not show audit event if it is from the wrong company

https://github.com/liferay/liferay-portalPedro Victor SilvestreApr 5, 2024via ghsa
commit
1 file changed · +22 4
  • modules/dxp/apps/portal-security-audit/portal-security-audit-web/src/main/java/com/liferay/portal/security/audit/web/internal/portlet/AuditPortlet.java+22 4 modified
    @@ -9,6 +9,9 @@
 import com.liferay.portal.kernel.security.auth.PrincipalException;
 import com.liferay.portal.kernel.security.permission.PermissionChecker;
 import com.liferay.portal.kernel.security.permission.PermissionThreadLocal;
+import com.liferay.portal.kernel.util.ParamUtil;
+import com.liferay.portal.security.audit.AuditEvent;
+import com.liferay.portal.security.audit.web.internal.AuditEventManagerUtil;
 import com.liferay.portal.security.audit.web.internal.constants.AuditPortletKeys;
 
 import java.io.IOException;
@@ -17,6 +20,7 @@
 import javax.portlet.ActionResponse;
 import javax.portlet.Portlet;
 import javax.portlet.PortletException;
+import javax.portlet.PortletRequest;
 import javax.portlet.RenderRequest;
 import javax.portlet.RenderResponse;
 import javax.portlet.ResourceRequest;
@@ -51,7 +55,7 @@ public void processAction(
 			ActionRequest actionRequest, ActionResponse actionResponse)
 		throws IOException, PortletException {
 
-		_checkCompanyAdmin();
+		_checkCompanyAdmin(actionRequest);
 
 		super.processAction(actionRequest, actionResponse);
 	}
@@ -61,7 +65,7 @@ public void render(
 			RenderRequest renderRequest, RenderResponse renderResponse)
 		throws IOException, PortletException {
 
-		_checkCompanyAdmin();
+		_checkCompanyAdmin(renderRequest);
 
 		super.render(renderRequest, renderResponse);
 	}
@@ -71,15 +75,29 @@ public void serveResource(
 			ResourceRequest resourceRequest, ResourceResponse resourceResponse)
 		throws IOException, PortletException {
 
-		_checkCompanyAdmin();
+		_checkCompanyAdmin(resourceRequest);
 
 		super.serveResource(resourceRequest, resourceResponse);
 	}
 
-	private void _checkCompanyAdmin() throws PortletException {
+	private void _checkCompanyAdmin(PortletRequest portletRequest)
+		throws PortletException {
+
 		PermissionChecker permissionChecker =
 			PermissionThreadLocal.getPermissionChecker();
 
+		long auditEventId = ParamUtil.getLong(portletRequest, "auditEventId");
+
+		if (auditEventId > 0) {
+			AuditEvent auditEvent = AuditEventManagerUtil.fetchAuditEvent(
+				auditEventId);
+
+			if (permissionChecker.getCompanyId() != auditEvent.getCompanyId()) {
+				throw new PortletException(
+					"This event does not belong to this company");
+			}
+		}
+
 		if (!permissionChecker.isCompanyAdmin()) {
 			PrincipalException principalException =
 				new PrincipalException.MustBeCompanyAdmin(

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.