Liferay Portal
Moderate fix1 remedy
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 7.4.0, <= 7.4.3.132
Liferay Portal and Liferay DXP Insecure Direct Object Reference Vulnerability in Roles Selector Portlet
Vulnerability
Patched
A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Liferay Portal versions 7.4.0 to 7.4.3.132, as well as in several Liferay DXP releases. The issue resides in the groupId parameter of the Roles Selector Portlet. Organization administrators can exploit this vulnerability by altering the groupId parameter, potentially gaining unauthorized access to user lists from other organizations.
Impact
Exploitation of this vulnerability allows organization administrators to access user lists from other organizations without authorization.
Remediation
Users can upgrade to Liferay Portal's master branch or Liferay DXP versions 2025.Q2.0, 2025.Q1.11, or 2024.Q1.18. Instructions for downloading Liferay DXP are available on the Liferay website.
Added: Aug 18, 2025, 2:18 PM
Updated: Aug 18, 2025, 2:18 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
2.5exploitability
4.8remediation
7.7relevance
0.4threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.