CVE-2025-62242

Insecure Direct Object Reference IDOR vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses fr...

CVE-2025-62241

Insecure Direct Object Reference IDOR vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the...

CVE-2025-62242

CVE-2025-62242 describes an IDOR in Liferay, affecting Liferay Portal 7.4.3.4–7.4.3.111 and Liferay DXP 2023.Q3.1–Q4.5, plus 7.4 GA up to update 92. The vulnerability allows remote authenticated users to view addresses from another account by supplying AccountEntriesAdminPortlet_addressId in the ...

CVE-2025-62242

Insecure Direct Object Reference IDOR vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses fr...

CVE-2025-62242

Insecure Direct Object Reference IDOR vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses fr...

Liferay Publications is vulnerable to Incorrect Authorization

Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the...

GHSA-894W-W643-QVXV Liferay Publications is vulnerable to Incorrect Authorization

Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the...

CVE-2025-62243

Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the...

CVE-2025-62244

Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edi...

CVE-2025-62244

Insecure direct object reference IDOR vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edi...

PT-2025-41803

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.4 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay Portal versions 7.4 GA through update 92 Description An Insecure Direct Object Referenc...

PT-2025-41811

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal 7.4 GA through update 92 Description An Insecure Direct Object Reference IDOR iss...

PT-2025-41798

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.1 through 7.4.3.112 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP 7.4 GA through update 92 Description An insecure direct object reference IDOR issue...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

PT-2025-41802

Name of the Vulnerable Software and Affected Versions Liferay DXP versions 2023.Q4.1 through 2023.Q4.5 Description An Insecure Direct Object Reference IDOR issue exists in Liferay DXP that allows authenticated remote users to access shipment addresses from different virtual instances. This occurs...

CVE-2025-11518

The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it...

PT-2025-41703

Name of the Vulnerable Software and Affected Versions HCL Unica Centralized Offer Management affected versions not specified Description The software is susceptible to Insecure Direct Object References IDOR. This allows an attacker to bypass authorization controls and directly access resources...

EUVD-2025-33823

The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it...

CVE-2025-11518

The CVE-2025-11518 issue affects the WPC Smart Wishlist for WooCommerce plugin for WordPress (versions ≤ 5.0.3). It is caused by an Insecure Direct Object Reference due to missing validation on a user-controlled key exposed when wishlists are shared, enabling unauthenticated attackers to manipula...

CVE-2025-11518 WPC Smart Wishlist for WooCommerce <= 5.0.3 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation

The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it...