Liferay Commerce Order IDOR Exploit

MEDIUM (4.3) No Patch (82 days)
cwe-639commerceenterprise-softwareidorliferayliferxdxporder-notesvulnerability

Threat Intelligence

Low Risk
EPSS Score: 0.05% chance of exploitation (percentile: 15%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Liferay Portal is a Java-based enterprise portal software used by organizations for content management and collaboration. The vulnerability in question allows remote authenticated users to add notes to an order in a different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter, potentially leading to unauthorized access to sensitive information.

Am I affected?

Affected versions: 7.4.3.112, 2023 If you don't recognise this software, you're probably not affected.

Affected Products

Liferay / Liferay DXP

How to fix

Upgrade to Liferay DXP 2023.Q4.9 or later.
- For immediate mitigations:
- Restrict network access to your Liferay instance (firewall it from the public internet)
- Audit admin account activity for suspicious access patterns
- Monitor for unauthorized token creation

References