Liferay DXP, Insecure Direct Object Reference, CVE-2025-22093 (Moderate)

By /

Listen to this Post

How the mentioned CVE works:

This CVE is an Insecure Direct Object Reference (IDOR) vulnerability in Liferay DXP’s Commerce Order Portlet. The application exposes a user-controlled key, the ‘commerceOrderId’ parameter, which is used to directly access shipment address objects. The system fails to verify that the requested shipment address belongs to the same virtual instance as the currently authenticated user. A remote attacker, authenticated in one virtual instance, can manipulate this parameter to reference orders from a completely separate virtual instance. This allows the attacker to bypass the intended authorization checks and view sensitive shipment address information that should be isolated within another tenant’s virtual instance, leading to a cross-instance data leak.

DailyCVE Form:

Platform: Liferay DXP
Version: 2023.Q4.1-5
Vulnerability: IDOR
Severity: Moderate

date: 2025-10-13

Prediction: Patch available

What Undercode Say:

curl -H "Authorization: Bearer $USER_TOKEN" "http://liferay-instance/o/headless-commerce-admin-order/v1.0/orders/$MANIPULATED_ORDER_ID"

// Example vulnerable parameter access
long commerceOrderId = ParamUtil.getLong(request, "_com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId");
// Missing virtual instance check before fetching address
CommerceOrderAddress address = commerceOrderAddressService.getCommerceOrderAddressForOrder(commerceOrderId);

How Exploit:

1. Attacker logs into Virtual Instance A.

  1. Attacker discovers a valid `commerceOrderId` from Virtual Instance B.
  2. Attacker sends a GET request to the CommerceOrderPortlet endpoint.
  3. Attacker sets the parameter to the discovered ID from Instance B.
  4. The application returns the shipment address, bypassing instance isolation.

Protection from this CVE:

Apply vendor patch.

Implement instance-level authorization.

Use indirect reference maps.

Validate user context.

Impact:

Cross-instance data leak.

Exposure of shipment addresses.

Authorization bypass.

Information disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top