Primary

Context

Liferay Portal and Liferay DXP Commerce Component Virtual Product Access Vulnerability

Vulnerability

Patched

A vulnerability in the Commerce component of Liferay Portal and Liferay DXP allows remote attackers to access and download virtual products for free. This issue affects Liferay Portal versions 7.3.0 through 7.4.3.112, as well as Liferay DXP versions 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35. The vulnerability arises because virtual products uploaded to Documents and Media with guest view permission are saved in a way that can be accessed via a crafted URL.

Impact

Exploitation of this vulnerability allows unauthorized access to virtual products, enabling remote attackers to download them without cost.

Remediation

Users can upgrade to Liferay Portal 7.4.3.113 or Liferay DXP 2024.Q1.1 or 2023.Q4.9 to address this vulnerability.

Added: Sep 19, 2025, 9:16 PM

Updated: Sep 19, 2025, 9:16 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and Liferay DXP Commerce Component Virtual Product Access Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating