Moderate severityNVD Advisory· Published Oct 13, 2025· Updated Oct 14, 2025
CVE-2025-62252
CVE-2025-62252
Description
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:com.liferay.portal.implMaven | < 99.0.0 | 99.0.0 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
28c3fc088f82fLPD-16328 Add integration test
1 file changed · +90 −0
modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserServiceTest.java+90 −0 added@@ -0,0 +1,90 @@ +/** + * SPDX-FileCopyrightText: (c) 2024 Liferay, Inc. https://liferay.com + * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06 + */ + +package com.liferay.user.service.test; + +import com.liferay.arquillian.extension.junit.bridge.junit.Arquillian; +import com.liferay.portal.kernel.model.Company; +import com.liferay.portal.kernel.model.Organization; +import com.liferay.portal.kernel.model.OrganizationConstants; +import com.liferay.portal.kernel.model.User; +import com.liferay.portal.kernel.security.permission.PermissionChecker; +import com.liferay.portal.kernel.security.permission.PermissionCheckerFactoryUtil; +import com.liferay.portal.kernel.security.permission.PermissionThreadLocal; +import com.liferay.portal.kernel.service.OrganizationLocalService; +import com.liferay.portal.kernel.service.UserService; +import com.liferay.portal.kernel.test.rule.AggregateTestRule; +import com.liferay.portal.kernel.test.rule.DataGuard; +import com.liferay.portal.kernel.test.util.CompanyTestUtil; +import com.liferay.portal.kernel.test.util.RandomTestUtil; +import com.liferay.portal.kernel.test.util.UserTestUtil; +import com.liferay.portal.test.rule.Inject; +import com.liferay.portal.test.rule.LiferayIntegrationTestRule; + +import org.junit.Assert; +import org.junit.ClassRule; +import org.junit.Rule; +import org.junit.Test; +import org.junit.runner.RunWith; + +/** + * @author Danny Situ + */ +@DataGuard(scope = DataGuard.Scope.METHOD) +@RunWith(Arquillian.class) +public class UserServiceTest { + + @ClassRule + @Rule + public static final AggregateTestRule aggregateTestRule = + new LiferayIntegrationTestRule(); + + @Test + public void testAddInvalidOrganizationUsers() throws Exception { + PermissionChecker originalPermissionChecker = + PermissionThreadLocal.getPermissionChecker(); + + User user1 = UserTestUtil.addUser(); + + Company company = CompanyTestUtil.addCompany(); + + User user2 = UserTestUtil.addCompanyAdminUser(company); + + Organization organization = _organizationLocalService.addOrganization( + user2.getUserId(), + OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID, + RandomTestUtil.randomString(), false); + + try { + PermissionThreadLocal.setPermissionChecker( + PermissionCheckerFactoryUtil.create(user2)); + + _userService.addOrganizationUsers( + organization.getOrganizationId(), + new long[] {user1.getUserId()}); + + Assert.fail(); + } + catch (Exception exception) { + String message = exception.getMessage(); + + Assert.assertTrue( + message.contains( + "User " + user2.getUserId() + + " must have VIEW permission")); + } + finally { + PermissionThreadLocal.setPermissionChecker( + originalPermissionChecker); + } + } + + @Inject + private OrganizationLocalService _organizationLocalService; + + @Inject + private UserService _userService; + +} \ No newline at end of file
e7b6074a320aLPD-16328 Validate userIds being added to organizations
1 file changed · +8 −0
portal-impl/src/com/liferay/portal/service/impl/UserServiceImpl.java+8 −0 modified@@ -171,6 +171,8 @@ public void addOrganizationUsers(long organizationId, long[] userIds) return; } + validateUserIds(userIds); + OrganizationPermissionUtil.check( getPermissionChecker(), organizationId, ActionKeys.ASSIGN_MEMBERS); @@ -3915,6 +3917,12 @@ protected void validateUpdatePermission( } } + protected void validateUserIds(long[] userIds) throws PortalException { + for (long userId : userIds) { + getUserById(userId); + } + } + private static final Log _log = LogFactoryUtil.getLog( UserServiceImpl.class);
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
6- github.com/advisories/GHSA-pfwq-mr9g-gq6mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62252ghsaADVISORY
- github.com/liferay/liferay-portal/commit/8c3fc088f82ffc981a21935e8b6dcf8f36e27152ghsaWEB
- github.com/liferay/liferay-portal/commit/e7b6074a320a8872ffe9423c3d1a64dada4f3238ghsaWEB
- liferay.atlassian.net/browse/LPE-17941ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62252ghsaWEB
News mentions
0No linked articles in our index yet.