Insecure Direct Object Reference (IDOR)

com.liferay.commerce, com.liferay.commerce.order.content.web is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper access control on the CommerceOrderPortletcommerceOrderId parameter, which allows an attacker to access shipment addresses from other virtual...

CVE-2025-62241

Insecure Direct Object Reference IDOR vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the...

CVE-2025-43810

Insecure Direct Object Reference IDOR vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a...

CVE-2025-43810

Insecure Direct Object Reference IDOR vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a...