Moderate severityNVD Advisory· Published Oct 13, 2025· Updated Oct 14, 2025
CVE-2025-62244
CVE-2025-62244
Description
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.change.tracking.webMaven | < 2.0.122 | 2.0.122 |
Affected products
2- Liferay/DXPv5Range: 7.3.10
Patches
21 file changed · +3 −3
modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/action/EditCTCollectionMVCRenderCommand.java+3 −3 modified@@ -52,12 +52,12 @@ public class EditCTCollectionMVCRenderCommand implements MVCRenderCommand { public String render( RenderRequest renderRequest, RenderResponse renderResponse) { - long ctCollectionId = ParamUtil.getLong( - renderRequest, "ctCollectionId"); - ThemeDisplay themeDisplay = (ThemeDisplay)renderRequest.getAttribute( WebKeys.THEME_DISPLAY); + long ctCollectionId = ParamUtil.getLong( + renderRequest, "ctCollectionId"); + try { if (ctCollectionId != 0) { _ctCollectionModelResourcePermission.check(
31cf99363bf6LPD-15354 Check for user permission when editing publication
3 files changed · +44 −4
modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/action/EditCTCollectionMVCRenderCommand.java+26 −3 modified@@ -6,6 +6,7 @@ package com.liferay.change.tracking.web.internal.portlet.action; import com.liferay.change.tracking.constants.CTPortletKeys; +import com.liferay.change.tracking.model.CTCollection; import com.liferay.change.tracking.model.CTCollectionTemplate; import com.liferay.change.tracking.service.CTCollectionLocalService; import com.liferay.change.tracking.service.CTCollectionTemplateLocalService; @@ -16,6 +17,9 @@ import com.liferay.portal.kernel.json.JSONObject; import com.liferay.portal.kernel.json.JSONSerializer; import com.liferay.portal.kernel.portlet.bridges.mvc.MVCRenderCommand; +import com.liferay.portal.kernel.security.permission.ActionKeys; +import com.liferay.portal.kernel.security.permission.resource.ModelResourcePermission; +import com.liferay.portal.kernel.servlet.SessionErrors; import com.liferay.portal.kernel.theme.ThemeDisplay; import com.liferay.portal.kernel.util.ParamUtil; import com.liferay.portal.kernel.util.WebKeys; @@ -51,6 +55,22 @@ public String render( long ctCollectionId = ParamUtil.getLong( renderRequest, "ctCollectionId"); + ThemeDisplay themeDisplay = (ThemeDisplay)renderRequest.getAttribute( + WebKeys.THEME_DISPLAY); + + try { + if (ctCollectionId != 0) { + _ctCollectionModelResourcePermission.check( + themeDisplay.getPermissionChecker(), ctCollectionId, + ActionKeys.UPDATE); + } + } + catch (Exception exception) { + SessionErrors.add(renderRequest, exception.getClass()); + + return "/publications/error.jsp"; + } + renderRequest.setAttribute( CTWebKeys.CT_COLLECTION, _ctCollectionLocalService.fetchCTCollection(ctCollectionId)); @@ -65,9 +85,6 @@ public String render( JSONSerializer jsonSerializer = _jsonFactory.createJSONSerializer(); - ThemeDisplay themeDisplay = (ThemeDisplay)renderRequest.getAttribute( - WebKeys.THEME_DISPLAY); - List<CTCollectionTemplate> ctCollectionTemplates = _ctCollectionTemplateLocalService.getCTCollectionTemplates( themeDisplay.getCompanyId(), 0, 100); @@ -111,6 +128,12 @@ public String render( @Reference private CTCollectionLocalService _ctCollectionLocalService; + @Reference( + target = "(model.class.name=com.liferay.change.tracking.model.CTCollection)" + ) + private ModelResourcePermission<CTCollection> + _ctCollectionModelResourcePermission; + @Reference private CTCollectionTemplateLocalService _ctCollectionTemplateLocalService;
modules/apps/change-tracking/change-tracking-web/src/main/java/com/liferay/change/tracking/web/internal/portlet/PublicationsPortlet.java+6 −1 modified@@ -21,6 +21,7 @@ import com.liferay.portal.kernel.security.permission.ActionKeys; import com.liferay.portal.kernel.security.permission.PermissionThreadLocal; import com.liferay.portal.kernel.service.permission.PortletPermissionUtil; +import com.liferay.portal.kernel.servlet.SessionErrors; import com.liferay.portal.kernel.util.ParamUtil; import com.liferay.portal.kernel.util.Portal; @@ -73,7 +74,11 @@ public void render( checkPermissions(renderRequest); } catch (Exception exception) { - throw new PortletException(exception); + SessionErrors.add(renderRequest, exception.getClass()); + + include("/publications/error.jsp", renderRequest, renderResponse); + + return; } PublicationsDisplayContext publicationsDisplayContext =
modules/apps/change-tracking/change-tracking-web/src/main/resources/META-INF/resources/publications/error.jsp+12 −0 added@@ -0,0 +1,12 @@ +<%-- +/** + * SPDX-FileCopyrightText: (c) 2024 Liferay, Inc. https://liferay.com + * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06 + */ +--%> + +<%@ include file="/init.jsp" %> + +<liferay-ui:error-header /> + +<liferay-ui:error-principal /> \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2hfj-jv6q-762vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62244ghsaADVISORY
- github.com/liferay/liferay-portal/commit/0a7a4233881d6fa29fba12695b916d885d76349fghsaWEB
- github.com/liferay/liferay-portal/commit/31cf99363bf615f4a3383ffcc78d800de3fa2465ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62244ghsaWEB
News mentions
0No linked articles in our index yet.