Skip to content

Commit 86f8142

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 9e1bc78 commit 86f8142

File tree

1 file changed

+38
-5
lines changed

1 file changed

+38
-5
lines changed

advisories/unreviewed/2025/10/GHSA-fhcw-px4q-pmvv/GHSA-fhcw-px4q-pmvv.json renamed to advisories/github-reviewed/2025/10/GHSA-fhcw-px4q-pmvv/GHSA-fhcw-px4q-pmvv.json

Lines changed: 38 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,57 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-fhcw-px4q-pmvv",
4-
"modified": "2025-10-13T21:31:10Z",
4+
"modified": "2025-10-13T22:55:26Z",
55
"published": "2025-10-13T21:31:10Z",
66
"aliases": [
77
"CVE-2025-62241"
88
],
9+
"summary": "Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key",
910
"details": "Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V4",
13-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "com.liferay.commerce:com.liferay.commerce.order.content.web"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.0.114"
32+
}
33+
]
34+
}
35+
]
1436
}
1537
],
16-
"affected": [],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62241"
2142
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/liferay/liferay-portal/commit/53401963f02f593bbf555b4b321fdaeb59e03a53"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/liferay/liferay-portal/commit/75c39ea518eb91b3b5cbb0576074ebbbfd805401"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://liferay.atlassian.net/browse/LPE-17936"
54+
},
2255
{
2356
"type": "WEB",
2457
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62241"
@@ -29,8 +62,8 @@
2962
"CWE-639"
3063
],
3164
"severity": "MODERATE",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2025-10-13T22:55:26Z",
3467
"nvd_published_at": "2025-10-13T20:15:34Z"
3568
}
3669
}

0 commit comments

Comments
 (0)