VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Oct 13, 2025· Updated Oct 14, 2025

CVE-2025-62243

CVE-2025-62243

Description

Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter.

Publications comments in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 does not properly check user permissions, which allows remote authenticated users to edit publication comments via crafted URLs.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.change.tracking.webMaven
< 2.0.1222.0.122

Affected products

2

Patches

3
e1457adf84fd

LPD-15426 Do not allow user to update publication comment if they do not have the correct permissions

https://github.com/liferay/liferay-portalbrookedaltonJan 31, 2024via ghsa
commit
1 file changed · +47 8
  • modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/action/UpdateCTCommentMVCResourceCommand.java+47 8 modified
    @@ -7,9 +7,13 @@
 
 import com.liferay.change.tracking.constants.CTPortletKeys;
 import com.liferay.change.tracking.model.CTComment;
+import com.liferay.change.tracking.web.internal.security.permission.resource.CTCollectionPermission;
 import com.liferay.portal.kernel.json.JSONObject;
+import com.liferay.portal.kernel.json.JSONUtil;
+import com.liferay.portal.kernel.language.Language;
 import com.liferay.portal.kernel.portlet.JSONPortletResponseUtil;
 import com.liferay.portal.kernel.portlet.bridges.mvc.MVCResourceCommand;
+import com.liferay.portal.kernel.security.permission.ActionKeys;
 import com.liferay.portal.kernel.theme.ThemeDisplay;
 import com.liferay.portal.kernel.util.ParamUtil;
 import com.liferay.portal.kernel.util.WebKeys;
@@ -18,6 +22,7 @@
 import javax.portlet.ResourceResponse;
 
 import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
 
 /**
  * @author Samuel Trong Tran
@@ -37,23 +42,54 @@ protected void doServeResource(
 			ResourceRequest resourceRequest, ResourceResponse resourceResponse)
 		throws Exception {
 
+		ThemeDisplay themeDisplay = (ThemeDisplay)resourceRequest.getAttribute(
+			WebKeys.THEME_DISPLAY);
+
+		long ctCollectionId = ParamUtil.getLong(
+			resourceRequest, "ctCollectionId");
+
+		if (!CTCollectionPermission.contains(
+				themeDisplay.getPermissionChecker(), ctCollectionId,
+				ActionKeys.VIEW)) {
+
+			JSONPortletResponseUtil.writeJSON(
+				resourceRequest, resourceResponse,
+				JSONUtil.put(
+					"errorMessage",
+					_language.get(
+						themeDisplay.getLocale(),
+						"you-do-not-have-the-required-permissions")));
+
+			return;
+		}
+
 		CTComment ctComment = null;
 
 		long ctCommentId = ParamUtil.getLong(resourceRequest, "ctCommentId");
 
 		String value = ParamUtil.getString(resourceRequest, "value");
 
 		if (ctCommentId > 0) {
-			ctComment = ctCommentLocalService.updateCTComment(
-				ctCommentId, value);
+			CTComment existingCTComment = ctCommentLocalService.getCTComment(
+				ctCommentId);
+
+			if (existingCTComment.getUserId() == themeDisplay.getUserId()) {
+				ctComment = ctCommentLocalService.updateCTComment(
+					ctCommentId, value);
+			}
+			else {
+				JSONPortletResponseUtil.writeJSON(
+					resourceRequest, resourceResponse,
+					JSONUtil.put(
+						"errorMessage",
+						_language.get(
+							themeDisplay.getLocale(),
+							"you-do-not-have-the-required-permissions")));
+
+				return;
+			}
 		}
 		else {
-			ThemeDisplay themeDisplay =
-				(ThemeDisplay)resourceRequest.getAttribute(
-					WebKeys.THEME_DISPLAY);
-
-			long ctCollectionId = ParamUtil.getLong(
-				resourceRequest, "ctCollectionId");
 			long ctEntryId = ParamUtil.getLong(resourceRequest, "ctEntryId");
 
 			ctComment = ctCommentLocalService.addCTComment(
@@ -68,4 +104,7 @@ protected void doServeResource(
 			resourceRequest, resourceResponse, jsonObject);
 	}
 
+	@Reference
+	private Language _language;
+
 }
\ No newline at end of file
8190bb30e8a1

LPD-15426 Do not allow user to view publication comment if they do not have the correct permissions

https://github.com/liferay/liferay-portalbrookedaltonJan 31, 2024via ghsa
commit
1 file changed · +17 1
  • modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/action/GetCTCommentsMVCResourceCommand.java+17 1 modified
    @@ -10,6 +10,8 @@
 import com.liferay.change.tracking.model.CTCommentTable;
 import com.liferay.change.tracking.service.CTCommentLocalService;
 import com.liferay.change.tracking.web.internal.display.context.DisplayContextUtil;
+import com.liferay.change.tracking.web.internal.security.permission.resource.CTCollectionPermission;
+import com.liferay.portal.kernel.exception.PortalException;
 import com.liferay.portal.kernel.json.JSONArray;
 import com.liferay.portal.kernel.json.JSONFactory;
 import com.liferay.portal.kernel.json.JSONObject;
@@ -19,6 +21,7 @@
 import com.liferay.portal.kernel.portlet.JSONPortletResponseUtil;
 import com.liferay.portal.kernel.portlet.bridges.mvc.BaseMVCResourceCommand;
 import com.liferay.portal.kernel.portlet.bridges.mvc.MVCResourceCommand;
+import com.liferay.portal.kernel.security.permission.ActionKeys;
 import com.liferay.portal.kernel.service.UserLocalService;
 import com.liferay.portal.kernel.theme.ThemeDisplay;
 import com.liferay.portal.kernel.util.FastDateFormatFactoryUtil;
@@ -61,7 +64,8 @@ protected void doServeResource(
 	}
 
 	protected JSONObject getCTCommentsJSONObject(
-		ResourceRequest resourceRequest) {
+			ResourceRequest resourceRequest)
+		throws PortalException {
 
 		JSONArray commentsJSONArray = jsonFactory.createJSONArray();
 
@@ -71,6 +75,18 @@ protected JSONObject getCTCommentsJSONObject(
 		long ctCollectionId = ParamUtil.getLong(
 			resourceRequest, "ctCollectionId");
 
+		if (!CTCollectionPermission.contains(
+				themeDisplay.getPermissionChecker(), ctCollectionId,
+				ActionKeys.VIEW)) {
+
+			return JSONUtil.put(
+				"errorMessage",
+				language.get(
+					themeDisplay.getLocale(),
+					"you-do-not-have-the-required-permissions-to-access-this-" +
+						"content"));
+		}
+
 		Map<Long, List<CTComment>> ctCommentsMap =
 			ctCommentLocalService.getCTCollectionCTComments(ctCollectionId);
f68ecf7fd8e0

LPD-15426 Do not allow user to delete publication comment if they do not have the correct permissions

https://github.com/liferay/liferay-portalbrookedaltonJan 31, 2024via ghsa
commit
1 file changed · +55 0
  • modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/action/DeleteCTCommentMVCResourceCommand.java+55 0 modified
    @@ -6,14 +6,24 @@
 package com.liferay.change.tracking.web.internal.portlet.action;
 
 import com.liferay.change.tracking.constants.CTPortletKeys;
+import com.liferay.change.tracking.model.CTComment;
+import com.liferay.change.tracking.web.internal.constants.PublicationRoleConstants;
+import com.liferay.portal.kernel.json.JSONUtil;
+import com.liferay.portal.kernel.language.Language;
+import com.liferay.portal.kernel.model.Role;
 import com.liferay.portal.kernel.portlet.JSONPortletResponseUtil;
 import com.liferay.portal.kernel.portlet.bridges.mvc.MVCResourceCommand;
+import com.liferay.portal.kernel.security.permission.PermissionChecker;
+import com.liferay.portal.kernel.service.RoleLocalService;
+import com.liferay.portal.kernel.theme.ThemeDisplay;
 import com.liferay.portal.kernel.util.ParamUtil;
+import com.liferay.portal.kernel.util.WebKeys;
 
 import javax.portlet.ResourceRequest;
 import javax.portlet.ResourceResponse;
 
 import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
 
 /**
  * @author Samuel Trong Tran
@@ -33,13 +43,58 @@ protected void doServeResource(
 			ResourceRequest resourceRequest, ResourceResponse resourceResponse)
 		throws Exception {
 
+		ThemeDisplay themeDisplay = (ThemeDisplay)resourceRequest.getAttribute(
+			WebKeys.THEME_DISPLAY);
+
 		long ctCommentId = ParamUtil.getLong(resourceRequest, "ctCommentId");
 
+		CTComment ctComment = ctCommentLocalService.getCTComment(ctCommentId);
+
+		if (!_hasAdminRole(themeDisplay.getPermissionChecker()) &&
+			(ctComment.getUserId() != themeDisplay.getUserId())) {
+
+			JSONPortletResponseUtil.writeJSON(
+				resourceRequest, resourceResponse,
+				JSONUtil.put(
+					"errorMessage",
+					_language.get(
+						themeDisplay.getLocale(),
+						"you-do-not-have-permission-to-delete-this-item")));
+
+			return;
+		}
+
 		ctCommentLocalService.deleteCTComment(ctCommentId);
 
 		JSONPortletResponseUtil.writeJSON(
 			resourceRequest, resourceResponse,
 			getCTCommentsJSONObject(resourceRequest));
 	}
 
+	private boolean _hasAdminRole(PermissionChecker permissionChecker) {
+		if (permissionChecker.isCompanyAdmin()) {
+			return true;
+		}
+
+		Role publicationAdministratorRole = _roleLocalService.fetchRole(
+			permissionChecker.getCompanyId(),
+			PublicationRoleConstants.NAME_ADMIN);
+
+		if ((publicationAdministratorRole != null) &&
+			_roleLocalService.hasUserRole(
+				permissionChecker.getUserId(),
+				publicationAdministratorRole.getRoleId())) {
+
+			return true;
+		}
+
+		return false;
+	}
+
+	@Reference
+	private Language _language;
+
+	@Reference
+	private RoleLocalService _roleLocalService;
+
 }
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.