Listen to this Post
How the mentioned CVE works:
This CVE is an Insecure Direct Object Reference (IDOR) vulnerability in Liferay’s user management. The application exposes the internal key `_com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds` as a user-controllable parameter. An authenticated attacker can manipulate this key to reference a user object in a different, isolated virtual instance. Liferay’s authorization checks fail to validate if the user making the request has the correct permissions for the targeted virtual instance. By submitting a crafted HTTP request with a modified key pointing to a user in another instance, the attacker can bypass the multi-tenancy security model and assign an organization to a user outside their authorized scope, violating tenant separation.
Platform: Liferay Portal/DXP
Version: 7.4.0-7.4.3.111
Vulnerability : IDOR Bypass
Severity: Moderate
date: 2024-10-13
Prediction: 2024-11-10
What Undercode Say:
`curl -X POST ‘http://
`http://localhost:8080/api/jsonws/user/add-organization-users –data ‘organizationId=12345&userIds=67890’`
How Exploit:
1. Attacker authenticates to Instance A.
- Attacker discovers a user ID from Instance B.
3. Attacker crafts POST request.
4. Attacker manipulates `addUserIds` parameter.
5. Request processed without tenant check.
6. Organization assigned cross-instance.
Protection from this CVE
Update to version 99.0.0.
Implement proper authorization checks.
Validate user-controlled object references.
Apply principle of least privilege.
Use tenant-aware access controls.
Impact:
Cross-tenant data manipulation.
Violation of tenant isolation.
Unauthorized user modifications.
Potential data integrity loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
