Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key

Insecure Direct Object Reference IDOR vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the...

CVE-2025-62241

CVE-2025-62241 affects Liferay DXP 2023.Q4.1–2023.Q4.5 and involves an IDOR in the CommerceOrderPortlet_commerceOrderId parameter, allowing an authenticated user to view shipment addresses from other virtual instances. Affected component is com.liferay.commerce, with the underlying issue being im...