Primary

Context

Liferay DXP IDOR Vulnerability in Shipment Address Management

Vulnerability

Patched

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Liferay DXP versions 2023.Q4.1 through 2023.Q4.5. This vulnerability allows remote authenticated users to access shipment addresses from different virtual instances by manipulating the 'commerceOrderId' parameter in the 'CommerceOrderPortlet'.

Impact

Exploitation of this vulnerability allows for unauthorized access to shipment addresses from other virtual instances.

Remediation

Users can upgrade to Liferay DXP 2024.Q1.1 or Liferay DXP 2023.Q4.6 to address this vulnerability.

Added: Oct 13, 2025, 8:17 PM

Updated: Oct 13, 2025, 8:17 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay DXP IDOR Vulnerability in Shipment Address Management

Vulnerability

Impact

Remediation

Affected Products

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating