Metrics
Affected Vendors & Products
Source | ID | Title |
---|---|---|
![]() |
EUVD-2025-30442 | Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a note to an order in a different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. |
![]() |
GHSA-f372-9rcj-8w2c | Liferay Portal and DXP allows users to add a note to a different virtual instance |
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Tue, 23 Sep 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Liferay
Liferay dxp Liferay portal |
|
Vendors & Products |
Liferay
Liferay dxp Liferay portal |
|
Metrics |
ssvc
|
Mon, 22 Sep 2025 22:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a note to an order in a different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. | |
Weaknesses | CWE-639 | |
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: Liferay
Published:
Updated: 2025-09-23T15:55:46.158Z
Reserved: 2025-04-17T10:55:33.794Z
Link: CVE-2025-43810

Updated: 2025-09-23T15:53:35.304Z

Status : Awaiting Analysis
Published: 2025-09-22T23:15:37.217
Modified: 2025-09-24T18:11:34.720
Link: CVE-2025-43810

No data.

Updated: 2025-09-23T16:03:34Z